CVE-2016-4793

NameCVE-2016-4793
DescriptionThe clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-835-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cakephp (PTS)jessie1.3.15-2vulnerable
stretch2.8.5-1fixed
bullseye, sid, buster2.10.11-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cakephpsource(unstable)2.8.3-1
cakephpsourcewheezy1.3.15-1+deb7u2DLA-835-1

Notes

[jessie] - cakephp <no-dsa> (Minor issue)
http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
Fixed by https://github.com/cakephp/cakephp/commit/48af49ddde16c8b99edb701f1c31283455b2b0b6

Search for package or bug name: Reporting problems