Security release 2023.7.1 of pretix

Today, we've internally discovered a security issue inside pretix. We therefore just released versions 2023.7.1, 2023.6.1, and 4.20.2 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible.

This security issue only affects self-hosted versions of pretix. If you are a customer of our pretix Hosted service, you are not affected.

#1: Incorrect configuration parsing leading to incorrect handling of HTTP headers [MEDIUM]

CVE ID: CVE-2023-44463

pretix is usually deployed behind a reverse proxy and can therefore handle the X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto headers to get access to the original source IP address, host name and protocol used by the client.

This behaviour is off by default and needs to be enabled in the pretix.cfg configuration file like this:

trust_x_forwarded_for=on
trust_x_forwarded_proto=on
trust_x_forwarded_host=on

However, there was a bug in parsing these configuration values and the headers have been trusted even if the settings have been set to off. More specifically, as long as the configuration flags have been set, regardless of their value, they have been considered on. The headers have only been ignored if the configuration flags have been missing entirely.

Severity rating: The security impact on a typical pretix installation is low since our installation guide recommends setting the flags to on and recommends a safe reverse proxy config that controls these headers. A security problem arises if (a) a reverse proxy config is used that allows the user to set these headers themselves and (b) the config flags have been turned off explicitly. Additionally, the impact in this case is limited since pretix itself does not use the host name or IP address for access control. The biggest impact within pretix is that some rate-limiting features are based on IP addresses and could be circumvented. A higher impact would be possible if additional access control based on host names is used in addition to pretix, or if a plugin relies on correct IP addresses for other reasons. We therefore assess the severity of this issue as medium.

Affected versions: pretix versions 3.0.0 until 2023.7.0 are affected.

This issue has been found internally.

Fixed versions

All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.20, please upgrade to a recent version now.

• 2023.7.1
• 2023.6.1
• 4.20.2.post1

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on Mastodon.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.