cvelistv5 - CVE-2022-3269

CVE-2022-3269 (GCVE-0-2022-3269)

Vulnerability from cvelistv5

Published

2022-09-23 09:20

Modified

2025-05-22 18:28

Severity ?

6.4 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-384 - Session Fixation

Summary

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

References

URL

Tags

security@huntr.dev	https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	ikus060	ikus060/rdiffweb	Version: unspecified < 2.4.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:07:05.856Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3269",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-22T15:53:26.748365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-22T18:28:01.655Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ikus060/rdiffweb",
          "vendor": "ikus060",
          "versions": [
            {
              "lessThan": "2.4.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "CWE-384 Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-23T09:20:09.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
        }
      ],
      "source": {
        "advisory": "67c25969-5e7a-4424-817e-e1a918f63cc6",
        "discovery": "EXTERNAL"
      },
      "title": "Session Fixation in ikus060/rdiffweb",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-3269",
          "STATE": "PUBLIC",
          "TITLE": "Session Fixation in ikus060/rdiffweb"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ikus060/rdiffweb",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.4.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ikus060"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-384 Session Fixation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
            },
            {
              "name": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b",
              "refsource": "MISC",
              "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
            }
          ]
        },
        "source": {
          "advisory": "67c25969-5e7a-4424-817e-e1a918f63cc6",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-3269",
    "datePublished": "2022-09-23T09:20:09.000Z",
    "dateReserved": "2022-09-22T00:00:00.000Z",
    "dateUpdated": "2025-05-22T18:28:01.655Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-3269\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2022-09-23T10:15:10.410\",\"lastModified\":\"2024-11-21T07:19:10.930\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.\"},{\"lang\":\"es\",\"value\":\"Una Fijaci\u00f3n de Sesi\u00f3n en el repositorio de GitHub ikus060/rdiffweb versiones anteriores a 2.4.7.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-384\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.7\",\"matchCriteriaId\":\"97394AAD-002C-47AB-BE19-CA241AEF843F\"}]}]}],\"references\":[{\"url\":\"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"ikus060/rdiffweb\", \"vendor\": \"ikus060\", \"versions\": [{\"lessThan\": \"2.4.7\", \"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.\"}], \"metrics\": [{\"cvssV3_0\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\", \"version\": \"3.0\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-384\", \"description\": \"CWE-384 Session Fixation\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-09-23T09:20:09.000Z\", \"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntrdev\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\"}], \"source\": {\"advisory\": \"67c25969-5e7a-4424-817e-e1a918f63cc6\", \"discovery\": \"EXTERNAL\"}, \"title\": \"Session Fixation in ikus060/rdiffweb\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security@huntr.dev\", \"ID\": \"CVE-2022-3269\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Session Fixation in ikus060/rdiffweb\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"ikus060/rdiffweb\", \"version\": {\"version_data\": [{\"version_affected\": \"\u003c\", \"version_value\": \"2.4.7\"}]}}]}, \"vendor_name\": \"ikus060\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L\", \"version\": \"3.0\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-384 Session Fixation\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\", \"refsource\": \"CONFIRM\", \"url\": \"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\"}, {\"name\": \"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\", \"refsource\": \"MISC\", \"url\": \"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\"}]}, \"source\": {\"advisory\": \"67c25969-5e7a-4424-817e-e1a918f63cc6\", \"discovery\": \"EXTERNAL\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:07:05.856Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-3269\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-22T15:53:26.748365Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-22T15:55:19.694Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"assignerShortName\": \"@huntrdev\", \"cveId\": \"CVE-2022-3269\", \"datePublished\": \"2022-09-23T09:20:09.000Z\", \"dateReserved\": \"2022-09-22T00:00:00.000Z\", \"dateUpdated\": \"2025-05-22T18:28:01.655Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2022-3269

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

Aliases

CVE-2022-3269

Aliases

CVE-2022-3269

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-3269",
    "id": "GSD-2022-3269"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-3269"
      ],
      "details": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.",
      "id": "GSD-2022-3269",
      "modified": "2023-12-13T01:19:39.752371Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-3269",
        "STATE": "PUBLIC",
        "TITLE": "Session Fixation in ikus060/rdiffweb"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ikus060/rdiffweb",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.4.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ikus060"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-384 Session Fixation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
          },
          {
            "name": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b",
            "refsource": "MISC",
            "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
          }
        ]
      },
      "source": {
        "advisory": "67c25969-5e7a-4424-817e-e1a918f63cc6",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.4.7",
          "affected_versions": "All versions before 2.4.7",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2022-09-29",
          "description": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.",
          "fixed_versions": [
            "2.4.7"
          ],
          "identifier": "CVE-2022-3269",
          "identifiers": [
            "GHSA-j3q4-gmj4-mj95",
            "CVE-2022-3269"
          ],
          "not_impacted": "All versions starting from 2.4.7",
          "package_slug": "pypi/rdiffweb",
          "pubdate": "2022-09-25",
          "solution": "Upgrade to version 2.4.7 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-3269",
            "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b",
            "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6",
            "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-290.yaml",
            "https://github.com/advisories/GHSA-j3q4-gmj4-mj95"
          ],
          "uuid": "2be9791b-230b-4acb-89d4-efe2ab0bf548"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-3269"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-384"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
            },
            {
              "name": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-09-26T17:05Z",
      "publishedDate": "2022-09-23T10:15Z"
    }
  }
}

ghsa-j3q4-gmj4-mj95

Vulnerability from github

Published

2022-09-25 00:00

Modified

2024-10-25 21:29

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

rdiffweb vulnerable to account access via session fixation

Details

rdiffweb prior to 2.4.7 fails to invalidate session cookies on logout, leading to session fixation and allowing an attacker to access a users account. After logging in and logging out, the application continues to use the preauthentication cookies. The cookies remain the same after closing the browser and after password reset. The same cookies are reassigned for additional user logins which can lead to session fixation. An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack. This issue is patched in version 2.4.7. There are no known workarounds.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-29T15:19:51Z",
    "nvd_published_at": "2022-09-23T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "rdiffweb prior to 2.4.7 fails to invalidate session cookies on logout, leading to session fixation and allowing an attacker to access a users account. After logging in and logging out, the application continues to use the preauthentication cookies. The cookies remain the same after closing the browser and after password reset. The same cookies are reassigned for additional user logins which can lead to session fixation. An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack. This issue is patched in version 2.4.7. There are no known workarounds.\n",
  "id": "GHSA-j3q4-gmj4-mj95",
  "modified": "2024-10-25T21:29:05Z",
  "published": "2022-09-25T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3269"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikus060/rdiffweb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-290.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rdiffweb vulnerable to account access via session fixation"
}

cnvd-2022-88211

Vulnerability from cnvd

Title

Rdiffweb授权问题漏洞

Description

Rdiffweb是美国Patrik Dufresne个人开发者的一个Web应用程序。可通过高效的Web界面快速访问您的档案。 Rdiffweb 2.4.7之前版本存在授权问题漏洞，攻击者可利用此漏洞窃取Cookie进行未授权操作。

Severity

高

Patch Name

Rdiffweb授权问题漏洞的补丁

Patch Description

Rdiffweb是美国Patrik Dufresne个人开发者的一个Web应用程序。可通过高效的Web界面快速访问您的档案。 Rdiffweb 2.4.7之前版本存在授权问题漏洞，攻击者可利用漏洞窃取Cookie进行未授权操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/ikus060/rdiffweb/

Reference

https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6

Impacted products

Name
Patrik Dufresne Rdiffweb <2.4.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-3269",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-3269"
    }
  },
  "description": "Rdiffweb\u662f\u7f8e\u56fdPatrik Dufresne\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2aWeb\u5e94\u7528\u7a0b\u5e8f\u3002\u53ef\u901a\u8fc7\u9ad8\u6548\u7684Web\u754c\u9762\u5feb\u901f\u8bbf\u95ee\u60a8\u7684\u6863\u6848\u3002\n\nRdiffweb 2.4.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u7a83\u53d6Cookie\u8fdb\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/ikus060/rdiffweb/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-88211",
  "openTime": "2022-12-17",
  "patchDescription": "Rdiffweb\u662f\u7f8e\u56fdPatrik Dufresne\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2aWeb\u5e94\u7528\u7a0b\u5e8f\u3002\u53ef\u901a\u8fc7\u9ad8\u6548\u7684Web\u754c\u9762\u5feb\u901f\u8bbf\u95ee\u60a8\u7684\u6863\u6848\u3002\r\n\r\nRdiffweb 2.4.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u7a83\u53d6Cookie\u8fdb\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Rdiffweb\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Patrik Dufresne Rdiffweb \u003c2.4.7"
  },
  "referenceLink": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6",
  "serverity": "\u9ad8",
  "submitTime": "2022-09-28",
  "title": "Rdiffweb\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

pysec-2022-290

Vulnerability from pysec

Published

2022-09-23 10:15

Modified

2022-09-26 18:52

Details

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

Impacted products

Name	purl
rdiffweb	pkg:pypi/rdiffweb

Aliases

CVE-2022-3269

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb",
        "purl": "pkg:pypi/rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
            }
          ],
          "repo": "https://github.com/ikus060/rdiffweb",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.0",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.10.7",
        "0.10.8",
        "0.10.9",
        "0.9.2.dev1",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a2",
        "1.0.0a3",
        "1.0.0a4",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.1.0",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.3.0",
        "1.3.1",
        "1.3.1b1",
        "1.3.1b2",
        "1.3.2",
        "1.4.0",
        "1.4.0b1",
        "1.4.0b2",
        "1.4.0b3",
        "1.4.0b4",
        "1.4.0b5",
        "1.4.1b1",
        "1.4.1b2",
        "1.4.1b3",
        "1.5.0",
        "1.5.1b1",
        "1.5.1b2",
        "1.6.0b1",
        "2.0.1b2",
        "2.0.1b3",
        "2.0.2",
        "2.0.3a1",
        "2.0.3a2",
        "2.0.3a3",
        "2.0.3a4",
        "2.0.3a5",
        "2.0.3a6",
        "2.0.3a7",
        "2.1.0",
        "2.2.0",
        "2.2.0.dev1",
        "2.2.0a1",
        "2.2.0a2",
        "2.2.0a3",
        "2.2.0a4",
        "2.2.0a5",
        "2.2.0a6",
        "2.2.1",
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.6",
        "2.3.7",
        "2.3.8",
        "2.3.9",
        "2.4.0",
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5",
        "2.4.6"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3269"
  ],
  "details": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.",
  "id": "PYSEC-2022-290",
  "modified": "2022-09-26T18:52:54.831168Z",
  "published": "2022-09-23T10:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
    },
    {
      "type": "FIX",
      "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
    }
  ]
}

fkie_cve-2022-3269

Vulnerability from fkie_nvd

Published

2022-09-23 10:15

Modified

2024-11-21 07:19

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

References

URL	Tags
security@huntr.dev	https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	ikus-soft	rdiffweb	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97394AAD-002C-47AB-BE19-CA241AEF843F",
              "versionEndExcluding": "2.4.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7."
    },
    {
      "lang": "es",
      "value": "Una Fijaci\u00f3n de Sesi\u00f3n en el repositorio de GitHub ikus060/rdiffweb versiones anteriores a 2.4.7.\n"
    }
  ],
  "id": "CVE-2022-3269",
  "lastModified": "2024-11-21T07:19:10.930",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-23T10:15:10.410",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-3269 (GCVE-0-2022-3269)

Vulnerability from cvelistv5

gsd-2022-3269

Vulnerability from gsd

ghsa-j3q4-gmj4-mj95

Vulnerability from github

cnvd-2022-88211

Vulnerability from cnvd

pysec-2022-290

Vulnerability from pysec

fkie_cve-2022-3269

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature