Miggo Logo
Miggo Vulnerability Database
CVE-2022-3250

CVE-2022-3250: rdiffweb has insecure HTTP cookies

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3250
GHSA ID
GHSA-m748-hjqg-rpp8
EPSS Score
0.63264%
CWE
CWE-311
Published
9/22/2022
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.62.4.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from cookie security attributes not being applied during error handling. The commit moved security header logic from a HandlerTool class to a simpler Tool that executes earlier ('before_request_body'), ensuring cookie attributes are set even when HTTP errors occur. The added test cases specifically validate Secure attribute presence on error responses, confirming the original implementation's gap in error handling paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In r*i**w** prior to v*rsion *.*.*, t** `*ooki*` s*ssion_i* *o*s not **v* * s**ur* *ttri*ut* w**n t** URL is inv*li*. V*rsion *.*.* *ont*ins * *ix *or t** issu*.

Reasoning

T** vuln*r**ility st*mm** *rom *ooki* s**urity *ttri*ut*s not **in* *ppli** *urin* *rror **n*lin*. T** *ommit mov** s**urity *****r lo*i* *rom * **n*l*rTool *l*ss to * simpl*r Tool t**t *x**ut*s **rli*r ('***or*_r*qu*st_*o*y'), *nsurin* *ooki* *ttri*