CVE-2022-3174 – rdiffweb

Package

Manager: pip
Name: rdiffweb
Vulnerable Version: =2.4.1 || >=2.4.1 <2.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00097 pctl0.27802

Details

rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.

Metadata

Created: 2022-09-14T00:00:51Z
Modified: 2024-10-25T21:32:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-mjw4-xvx6-3grg/GHSA-mjw4-xvx6-3grg.json
CWE IDs: ["CWE-311", "CWE-614"]
Alternative ID: GHSA-mjw4-xvx6-3grg
Finding: F042
Auto approve: 1