CVE-2020-37056

### 1. Summary This vulnerability allows attackers to spoof their IP address by manipulating HTTP headers (`X-Forwarded-For`, `X-Client-IP`, `X-Real-IP`) in the Crystal Shard `http-protection` library v0.2.0. This bypasses IP-based security checks (e.g., rate limiting, access controls), potentially enabling unauthorized access. ### 2. Affected Products/Versions - **Product**: Crystal Shard `http-protection` library - **Affected Version**: **0.2.0 only** (earlier/later versions are not mentioned in the CVE). ### 3. Attacker Impact If exploited, attackers can: - **Bypass IP-based security middleware** (e.g., blocklists, rate limits, geographic restrictions). - **Gain unauthorized access** to protected resources by impersonating a trusted IP address. ### 4. Recommended Remediation - **Update immediately**: Upgrade `http-protection` to a patched version (post-0.2.0). Check the library’s [GitHub](https://github.com/crystal-shard/http-protection) for fixes. - **Mitigation (if unable to update)**: - Disable or harden trust in proxy headers (e.g., only allow `X-Forwarded-For` from trusted reverse proxies). - Implement additional authentication/authorization layers not reliant on IP headers. - **Verify**: Audit dependencies to ensure v0.2.0 is removed. > **Critical Note**: CVSS 9.8 severity demands immediate action. Test patches in non-production environments first.