VDB
GCVE-110-CLOUD-2022-0031
GCVE-110-CLOUD-2022-0031
Advisory Published
While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting
a space after `X-Forwarded-For` he was able to override this specific header, letting him impersonate any IP.
Any internal header could have beem overridden, also the one that should not be exposed/forwarded by the
client, such as `CloudFront-Viewer-Country-Region` or any other `CloudFront` enhanced header.
This special security issue was affecting all AWS users with that a specific setting enabled.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | ELB | — | — |
| AWS | CloudFront | — | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.