9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3269

GHSA ID

GHSA-j3q4-gmj4-mj95

EPSS Score

0.21288%

CWE

CWE-384

Published

9/25/2022

Updated

10/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3269

CVE-2022-3269: rdiffweb vulnerable to account access via session fixation

rdiffweb prior to 2.4.7 fails to invalidate session cookies on logout, leading to session fixation and allowing an attacker to access a users account. After logging in and logging out, the application continues to use the preauthentication cookies. The cookies remain the same after closing the browser and after password reset. The same cookies are reassigned for additional user logins which can lead to session fixation. An attacker can gain unauthorized access to the account of users who are using the same browser as long as a single session cookie persists on that browser once the attacker obtains a session cookie through another attack. This issue is patched in version 2.4.7. There are no known workarounds.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3269

GHSA ID

GHSA-j3q4-gmj4-mj95

EPSS Score

0.21288%

CWE

CWE-384

Published

9/25/2022

Updated

10/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rdiffweb	pip	< 2.4.7	2.4.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing session regeneration in authentication workflows. The patch adds 'cherrypy.session.regenerate()' calls in both login and logout handlers:

In LoginPage.index, session fixation was possible because the same session ID was retained after successful authentication
In LogoutPage.default, session persistence was maintained because logout only nullified the user association without invalidating the session ID These omissions violated session management best practices by keeping static session identifiers across authentication state changes, enabling session fixation attacks. The high confidence comes from the direct correlation between the missing session regeneration calls in these functions and the CWE-384 description of session fixation vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w** prior to *.*.* **ils to inv*li**t* s*ssion *ooki*s on lo*out, l***in* to s*ssion *ix*tion *n* *llowin* *n *tt**k*r to ****ss * us*rs ***ount. **t*r lo**in* in *n* lo**in* out, t** *ppli**tion *ontinu*s to us* t** pr**ut**nti**tion *ooki*s. T

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion r***n*r*tion in *ut**nti**tion work*lows. T** p*t** ***s '***rrypy.s*ssion.r***n*r*t*()' **lls in *ot* lo*in *n* lo*out **n*l*rs: *. In Lo*inP***.in**x, s*ssion *ix*tion w*s possi*l* ****us* t** s*m* s*ssi

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-3269: rdiffweb vulnerable to account access via session fixation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI