🟠 高危 | CVE-2026-9561 — Eclipse Kura versions prior to 5.6.2 trust the cli...
🟠 《高危安全漏洞:CVE-2026-9561》
CVSS 评分: 高危(8.8) 状态: Awaiting Analysis 发布时间: 2026-07-14
漏洞描述
Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.
🔍 技术细节
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-9561 |
| CVSS 评分 | 8.8 🟠 |
| 严重程度 | 高危 |
| CVSS 向量 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| CWE 分类 | CWE-345,CWE-348,CWE-807 |
| 发布时间 | 2026-07-14 |
| 最后更新 | 2026-07-14 |
| 状态 | Awaiting Analysis |
| 数据来源 | emo@eclipse.org |