GHSA-mjw4-xvx6-3grg
Vulnerability from github
Published
2022-09-14 00:00
Modified
2022-09-16 21:35
Severity
Summary
rdiffweb 2.4.1 vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Details
rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rdiffweb"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.1"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.1"
]
}
],
"aliases": [
"CVE-2022-3174"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:22:39Z",
"nvd_published_at": "2022-09-13T10:15:00Z",
"severity": "HIGH"
},
"details": "rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute. This makes it so that a user\u0027s cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.",
"id": "GHSA-mjw4-xvx6-3grg",
"modified": "2022-09-16T21:35:41Z",
"published": "2022-09-14T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3174"
},
{
"type": "WEB",
"url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikus060/rdiffweb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-271.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "rdiffweb 2.4.1 vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
Loading...