Eclipse Kura
Monthly
Log integrity spoofing in Eclipse Kura before 5.6.2 lets an unauthenticated remote attacker forge the client IP recorded in audit logs by supplying a crafted X-Forwarded-For header, because the Jetty ForwardedRequestCustomizer is installed unconditionally on every connector and getRemoteAddr() reflects the header value. This enables bypass of IP-based brute-force defenses like fail2ban (spoofing a non-routable source to evade bans) or a denial of service against a third party by injecting a victim IP so their address is banned. No public exploit is identified at time of analysis and it is not on CISA KEV; CVSS 4.0 base score is 8.8.
Log integrity spoofing in Eclipse Kura before 5.6.2 lets an unauthenticated remote attacker forge the client IP recorded in audit logs by supplying a crafted X-Forwarded-For header, because the Jetty ForwardedRequestCustomizer is installed unconditionally on every connector and getRemoteAddr() reflects the header value. This enables bypass of IP-based brute-force defenses like fail2ban (spoofing a non-routable source to evade bans) or a denial of service against a third party by injecting a victim IP so their address is banned. No public exploit is identified at time of analysis and it is not on CISA KEV; CVSS 4.0 base score is 8.8.