Опубликовано: 14 сент. 2022
Источник: github
Github: Прошло ревью
CVSS4: 7.1
CVSS3: 7.5
Описание
rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-3174
- https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e
- https://github.com/advisories/GHSA-mjw4-xvx6-3grg
- https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-271.yaml
- https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce
Пакеты
Наименование
rdiffweb
pip
Затронутые версииВерсия исправления
= 2.4.1
2.4.2
Связанные уязвимости
CVSS3: 7.5
nvd
больше 3 лет назад
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
CVSS3: 7.5
debian
больше 3 лет назад
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub ...