Fluid Attacks Database

Description

rdiffweb CSRF vulnerability in profile's SSH keys can lead to unauthorized access rdiffweb prior to 2.4.3 is vulnerable to Cross-Site Request Forgery (CSRF). While adding SSH public keys to the profile, the server accepts the GET request, which results in adding an SSH public key to the profile and leads to unauthorized access to the system and backups. Version 2.4.3 contains a patch for this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	rdiffweb	>=0 <2.4.3	2.4.3

Aliases

1. CVE-2022-32212. NVD-2022-32213. OSV-2022-32214. GHSA-vq4h-xrwc-m6395. GCVE-2022-3221

References

1. https://github.com/ikus060/rdiffweb/commit/9125f5a2d918fed0f3fc1c86fa94cd1779ed9f732. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-278.yaml3. https://huntr.dev/bounties/1fa1aac9-b16a-4a70-a7da-960b3908ae1d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.