Eclipse Kura IP Spoofing via X-Forwarded-For Header
# CVE Reservation Request <!-- There's help in the Eclipse Foundation Project Handbook https://www.eclipse.org/projects/handbook/#vulnerability-cve Note that this issue is configured (see the quick actions at the bottom) to be created as confidential. Note that a vulnerability does not need to actually be resolved before it is reported and that these reports can be revised as needed (reopen the issue to request changes). If you do not know how to fill certain fields, mark that in the comment and we will help you. You can delete the comments (or not). --> The Eclipse Foundation is a [Common Vulnerabilities and Exposures](https://cve.mitre.org/) (CVE) Numbering Authority. Creating this ticket initiates **reservation** of a CVE ID for the documented vulnerability. The reserved CVE ID will be posted in a comment below, and kept **confidential** until explicit publication request. > [!note] > To request CVE *publication*, please open a [CVE publication](https://gitlab.eclipse.org/security/cve-assignment/-/issues/new?issuable_template=CVE%20Publication%20Request) ticket. Please fill in the fields below to draft the CVE record. --- <!-- Required. Specify the project's name (e.g., "Eclipse Dash") and Eclipse Foundation ID, e.g., "technology.dash". --> ## CVE record information **Project name: Eclipse Kura **Project id: iot.kura <!-- Required (for publication). Specify the version range as precisely as possible, e.g., "[3.0, 3.5.1]" or "[3.0, 3.5.1)". Note that using the standard range notion, square brackets are inclusive (i.e., that version is included in the range), and round brakets are exclusive (the vulnerability affects all versions up to but not including the named version). Multiple ranges can be provided. --> **Versions affected: The affected component is org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.6.1] and org.eclipse.kura:org.eclipse.kura.rest.provider version range [1.1.0, 1.7.0], which are included in Eclipse Kura version range [5.0.0, 5.6.1]. The issue is resolved in Eclipse Kura 5.6.2. <!-- Required (for publication). The Common Weakness Enumeration (CWE) code comes from here: https://cwe.mitre.org/, e.g., "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')". Multiple codes can be provided. --> **Common Weakness Enumeration (CWE):** - CWE-348: Use of Less Trusted Source - CWE-807: Reliance on Untrusted Inputs in a Security Decision - CWE-345: Insufficient Verification of Data Authenticity <!-- Optional. The Common Attack Pattern Enumerations and Classifications (CAPEC) code comes from here: https://capec.mitre.org/, e.g., "CAPEC-63: Cross-Site Scripting (XSS)". Multiple codes can be provided. **Common Attack Pattern Enumerations and Classifications (CAPEC):** - {[capec1](https://capec.mitre.org/)} - {[capec2](https://capec.mitre.org/)} - ... --> <!-- Optional. Provide a Common Vulnerability Scoring System (CVSS). Note that if you do not provide this, then some agencies (e.g. NIST) will compute it on the project's behalf. Please be sure to include the CVSS version number, e.g., "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H". There's help here: https://www.first.org/cvss/calculator/4.0 --> **Common Vulnerability Scoring System:** {[cvss](https://www.first.org/cvss/calculator/4.0)} CVSS 4.0 Score: 8.2 / High Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N <!-- Required (for publication). The summary should start with the name of the project, e.g., "Eclipse Vert.x", then a description of the affected versions, followed by a description of the problem. The summary should be concise. For example, "In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response." --> **Summary:** Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address. Steps to reproduce: Running a command as `curl -k -v -H "X-Forwarded-For: 6.6.6.6" -u '<username>:<password>' https://172.16.0.1/services/v1/identity/current` will result in an entry in the logs in the form `2026-04-24T15:33:29.909+02:00 raspberrypi EclipseKura 662 - [RequestContext@28392 category="AuditLogger" exception="" priority="WARN" thread="qtp1018388934-105"] {rest.method=GET, rest.path=v1/identity/current, entrypoint=RestService, ip=6.6.6.6} Rest - Failure - Service not found` presenting the source IP as 6.6.6.6 instead of the actual source IP <!-- Required (for publication). Include a link to the issue (e.g., GitHub Security Advisory) that's being used to track/resolve the issue. Other links that provide more information can be provided. For example, you may later publish the link to the fix commit. --> **Links:** - https://github.com/eclipse-kura/kura/pull/6219 - https://github.com/eclipse-kura/kura/pull/6218 - https://github.com/eclipse-kura/kura/releases/tag/KURA_5.6.2_RELEASE <!-- Optional. Add the name or pseudonym of the person who has reported the issue. --> **Credits:** Adam N'diaye - HON s.r.l - Company of TUV Rheinland Group <!-- Quick actions will configure the state of the issue. Leave these. --> <!-- Keep this as the last line -->
issue

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent