GHSA-j3q4-gmj4-mj95
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j3q4-gmj4-mj95
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-j3q4-gmj4-mj95/GHSA-j3q4-gmj4-mj95.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j3q4-gmj4-mj95
- Aliases
- Published
- 2022-09-25T00:00:27Z
- Modified
- 2024-10-25T21:37:16.826486Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- rdiffweb vulnerable to account access via session fixation
- Details
-
rdiffweb prior to 2.4.7 fails to invalidate session cookies on logout, leading to session fixation and allowing an attacker to access a users account. After logging in and logging out, the application continues to use the preauthentication cookies. The cookies remain the same after closing the browser and after password reset. The same cookies are reassigned for additional user logins which can lead to session fixation. An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack. This issue is patched in version 2.4.7. There are no known workarounds.
- Database specific
{ "nvd_published_at": "2022-09-23T10:15:00Z", "cwe_ids": [ "CWE-384" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2022-09-29T15:19:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-3269
- https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b
- https://github.com/ikus060/rdiffweb
- https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-290.yaml
- https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6
Affected packages
PyPI / rdiffweb
Package
- Name
- rdiffweb
- View open source insights on deps.dev
- Purl
- pkg:pypi/rdiffweb
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.7
Affected versions
0.*
0.9.2.dev1
0.9.3
0.9.4
0.9.5
0.10.0
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
1.*
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1b1
1.3.1b2
1.3.1
1.3.2
1.4.0b1
1.4.0b2
1.4.0b3
1.4.0b4
1.4.0b5
1.4.0
1.4.1b1
1.4.1b2
1.4.1b3
1.5.0
1.5.1b1
1.5.1b2
1.6.0b1
2.*
2.0.1b2
2.0.1b3
2.0.2
2.0.3a1
2.0.3a2
2.0.3a3
2.0.3a4
2.0.3a5
2.0.3a6
2.0.3a7
2.1.0
2.2.0.dev1
2.2.0a1
2.2.0a2
2.2.0a3
2.2.0a4
2.2.0a5
2.2.0a6
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6