Miggo Logo

CVE-2022-3167: rdiffweb vulnerable to Improper Restriction of Rendered UI Layers or Frames

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.41564%
Published
9/9/2022
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.12.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing X-Frame-Options headers. The commit patching CVE-2022-3167 modified the CsrfAuth class in security.py to add 'X-Frame-Options: DENY' in a renamed _set_headers method (previously _set_same_site). The original _set_same_site function only handled cookie SameSite attributes but didn't implement frame restriction headers, making it the root cause. The addition of test_clickjacking_defense in test_csrf.py confirms the security header was missing in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w** prior to *.*.* is vuln*r**l* to Improp*r R*stri*tion o* R*n**r** UI L*y*rs or *r*m*s. T*is *llows *tt**k*rs to p*r*orm *li*kj**kin* *tt**ks t**t **n tri*k vi*tims into p*r*ormin* **tions su** *s *nt*rin* p*sswor*s, likin* or **l*tin* posts,

Reasoning

T** vuln*r**ility st*ms *rom missin* X-*r*m*-Options *****rs. T** *ommit p*t**in* *V*-****-**** mo*i*i** t** *sr**ut* *l*ss in s**urity.py to *** 'X-*r*m*-Options: **NY' in * r*n*m** _s*t_*****rs m*t*o* (pr*viously _s*t_s*m*_sit*). T** ori*in*l _s*t_