Fluid Attacks Database

Description

rdiffweb has insecure HTTP cookies In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	rdiffweb	>=0 <2.4.6	2.4.6

Aliases

1. CVE-2022-32502. NVD-2022-32503. OSV-2022-32504. GCVE-2022-3250

References

1. https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee2. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-287.yaml3. https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.