GHSA-mjw4-xvx6-3grg

Suggest an improvement
Source
https://github.com/advisories/GHSA-mjw4-xvx6-3grg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-mjw4-xvx6-3grg/GHSA-mjw4-xvx6-3grg.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mjw4-xvx6-3grg
Aliases
Published
2022-09-14T00:00:51Z
Modified
2024-10-25T21:32:37Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Details

rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.

Database specific
{
    "nvd_published_at": "2022-09-13T10:15:00Z",
    "cwe_ids": [
        "CWE-311",
        "CWE-614"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:22:39Z"
}
References

Affected packages

PyPI / rdiffweb

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.1
Fixed
2.4.2

Affected versions

2.*

2.4.1