VDB

GCVE-110-CLOUD-2022-0031

GCVE-110-CLOUD-2022-0031
Advisory Published
Vulnetix · Advisory published May 17, 2022
While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting a space after `X-Forwarded-For` he was able to override this specific header, letting him impersonate any IP. Any internal header could have beem overridden, also the one that should not be exposed/forwarded by the client, such as `CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header. This special security issue was affecting all AWS users with that a specific setting enabled.

Affected Products

VendorProductVersionsPlatforms
AWSELB
AWSCloudFront

References

advisory
advisory

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›