CVE-2022-3174

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions rdiffweb versions prior to 2.4.2

Description The issue allows a user's cookies to be sent to the server with an unencrypted request over the HTTP protocol because the 'Secure' attribute is missing in the HTTPS session. This affects the confidentiality of the cookies.

Recommendations For versions prior to 2.4.2, update to version 2.4.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive data that may be exposed through unencrypted cookie transmission until the update is applied.

Exploit

Fix

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-311CWE-614

Related Identifiers

CVE-2022-3174

GHSA-MJW4-XVX6-3GRG

PYSEC-2022-271

Affected Products

Rdiffweb

CVE-2022-3174

Weakness Enumeration

Related Identifiers

Affected Products

References · 10