CVE-2022-4722 – rdiffweb

Package

Manager: pip
Name: rdiffweb
Vulnerable Version: >=0 <2.5.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00245 pctl0.47742

Details

rdiffweb vulnerable to Authentication Bypass by Primary Weakness In rdiffweb prior to 2.5.5, the username field is not unique to users. This allows exploitation of primary key logic by creating the same name with different combinations & may allow unauthorized access.

Metadata

Created: 2022-12-27T15:30:19Z
Modified: 2024-10-25T21:41:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-wf33-6x33-wcf9/GHSA-wf33-6x33-wcf9.json
CWE IDs: ["CWE-287", "CWE-305"]
Alternative ID: GHSA-wf33-6x33-wcf9
Finding: F039
Auto approve: 1