CVE-2022-23556: 
PHP vulnerability analysis and mitigation

CodeIgniter, a PHP full-stack web framework, was found to contain a vulnerability (CVE-2022-23556) that allows attackers to spoof their IP address when the server is behind a reverse proxy. The vulnerability was disclosed on December 22, 2022, affecting CodeIgniter versions from 4.0.0 up to (excluding) 4.2.11 (NVD, GitHub Advisory).

The vulnerability stems from insufficient verification of data authenticity (CWE-345) in the IP address handling mechanism when the application is behind a reverse proxy. The vulnerability has received a CVSS v3.1 base score of 7.5 HIGH from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

When exploited, this vulnerability allows attackers to spoof their IP address, potentially bypassing IP-based security controls and making it difficult to track or block malicious actors. This could lead to unauthorized access and compromise of IP-based security measures (GitHub Advisory).

The vulnerability has been patched in CodeIgniter version 4.2.11. Users are advised to upgrade to version 4.2.11 or later and properly configure Config\App::$proxyIPs. As a temporary workaround, users can avoid using the $request->getIPAddress() method (GitHub Advisory).