PT-2022-21152 · Rdiffweb · Rdiffweb

Ikus060

Published

2022-09-15

Updated

2022-09-18

CVE-2022-3221

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rdiffweb versions prior to 2.4.3

Description The issue is related to Cross-Site Request Forgery (CSRF) in the GitHub repository ikus060/rdiffweb. When adding SSH public keys to a profile, the server accepts GET requests, which can lead to unauthorized access to the system and backups.

Recommendations For versions prior to 2.4.3, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting access to the SSH public key addition feature until the patch is applied.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2022-3221

GHSA-VQ4H-XRWC-M639

PYSEC-2022-278

Affected Products

Rdiffweb

PT-2022-21152 · Rdiffweb · Rdiffweb

CVE-2022-3221

Weakness Enumeration

Related Identifiers

Affected Products

References · 13