Security release 2023.7.1 of pretix
Today, we've internally discovered a security issue inside pretix. We therefore just released versions 2023.7.1, 2023.6.1, and 4.20.2 of pretix that fix this problem. It is strongly recommended that you update your installation as soon as possible.
This security issue only affects self-hosted versions of pretix. If you are a customer of our pretix Hosted service, you are not affected.
#1: Incorrect configuration parsing leading to incorrect handling of HTTP headers [MEDIUM]
CVE ID: not yet assigned
pretix is usually deployed behind a reverse proxy and can therefore handle the
X-Forwarded-Proto headers to get access to the original source IP address, host name and protocol used by the
This behaviour is off by default and needs to be enabled in the
pretix.cfg configuration file like this:
trust_x_forwarded_for=on trust_x_forwarded_proto=on trust_x_forwarded_host=on
However, there was a bug in parsing these configuration values and the headers have been trusted even if the settings
have been set to
off. More specifically, as long as the configuration flags have been set, regardless of their value,
they have been considered
on. The headers have only been ignored if the configuration flags have been missing entirely.
Severity rating: The security impact on a typical pretix installation is low since our installation guide recommends
setting the flags to
on and recommends a safe reverse proxy config that controls these headers. A security problem
arises if (a) a reverse proxy config is used that allows the user to set these headers themselves and (b) the config flags
have been turned off explicitly. Additionally, the impact in this case is limited since pretix itself does not use
the host name or IP address for access control. The biggest impact within pretix is that some rate-limiting features are
based on IP addresses and could be circumvented. A higher impact would be possible if additional access control based on
host names is used in addition to pretix, or if a plugin relies on correct IP addresses for other reasons.
We therefore assess the severity of this issue as medium.
Affected versions: pretix versions 3.0.0 until 2023.7.0 are affected.
This issue has been found internally.
All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.20, please upgrade to a recent version now.
The new docker images will appear on Docker Hub over the next few hours.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.