In Webswing's configuration a ${clientIp} variable can be used to pass the client's IP address to swing. The variable can be used as an application startup argument or other configuration fields. Value of this variable is resolved from the X-Forwarded-For request header. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. This can ultimately lead to remote code execution in some situations.

Who is impacted?

Your installation is impacted if you are using the ${clientIp} variable in webswing.config configuration file and using one of the affected versions of Webswing.

Fixed Versions

Vulnerability is fixed in following versions:

  • 22.1.3 and newer
  • 21.2.12 and newer
  • 21.1.8 and newer
  • 20.2.19 and newer
  • 20.1.16 and newer

all older version are vulnerable.


Upgrade to a fixed version or remove the ${clientIp} variable from configuration.

Date Published: 08/07/2022
[Discoverers Brian Sullivan and Jeremy Chisamore]

PreviousW-JAX Conference November 2022

NextWebswing Development Vision Updated