CVE-2022-3174: rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
(updated )
rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute. This makes it so that a user’s cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.
References
- github.com/advisories/GHSA-mjw4-xvx6-3grg
- github.com/ikus060/rdiffweb
- github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e
- github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-271.yaml
- huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce
- nvd.nist.gov/vuln/detail/CVE-2022-3174
Detect and mitigate CVE-2022-3174 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →