从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. 漏洞描述: - 标题:Bypassing rate limiting with X-Forwarded-For header - 严重性:Moderate (4.8 / 10) - CVSS v3 base metrics: - Attack vector: Network - Attack complexity: High - Privileges required: None - User interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: None - Availability: Low 2. 受影响的版本: - <= 4.2.8 - <= 4.1.16 - 4.2.9 - 4.1.17 3. 漏洞详情: - Rate limiting is applied to most API endpoints by default. However, in some incorrect configurations, the measure can be circumvented by setting the request header . - Provided they manage to directly connect to , an attacker can spoof their IP address by setting the or HTTP header, and use that to bypass most rate-limiting. - Most of Mastodon's rate-limiting is done through and explicitly exempting 127.0.0.1 from those, allowing an attacker to bypass them if they manage to spoof their IP address. 4. 影响: - By bypassing the rate limiting measure, all other protective measures based on it (such as brute force detection) are also rendered ineffective. - An attacker could, for example, try to guess valid usernames and corresponding passwords in an automated fashion. - Users could use the header to pretend to connect from a different IP address (in the associated log entry). 5. 发现者: - This security issue has been found by mgm security partners, during a security audit commissioned by the BSI. 6. 漏洞编号: - CVE-2023-49952 - CWE-307 7. 报告者和协调者: - Eichner - rimi 这些信息提供了关于漏洞的详细描述、影响范围、发现者和漏洞编号等关键信息。