Miggo Logo
Miggo Vulnerability Database
CVE-2022-3292

CVE-2022-3292: rdiffweb vulnerable to Use of Cache Containing Sensitive Information

4.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3292
GHSA ID
GHSA-7fqm-jm52-f9vc
EPSS Score
0.53904%
CWE
CWE-524
Published
9/29/2022
Updated
10/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.92.4.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing Cache-Control headers in HTTP responses. The key evidence is in the patch that added cache-control logic to the set_headers function in secure_headers.py. The pre-patch version of this function did not include the critical 'no-cache, no-store' directives, Pragma: no-cache, or Expires: 0 headers. This function is responsible for setting security headers across the application, and its lack of cache control mechanisms directly enabled the vulnerability. The test cases added in the commit (test_no_cache) specifically validate these headers, confirming their absence was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w** prior to v*rsion *.*.* is vuln*r**l* to Us* o* ***** *ont*inin* S*nsitiv* In*orm*tion. *u* to improp*r ***** *ontrol, *n *tt**k*r **n vi*w s*nsitiv* in*orm*tion *v*n i* t**y *r* not lo**** into *n ***ount. V*rsion *.*.* *ont*ins * p*t** *or

Reasoning

T** vuln*r**ility st*ms *rom missin* *****-*ontrol *****rs in *TTP r*spons*s. T** k*y *vi**n** is in t** p*t** t**t ***** *****-*ontrol lo*i* to t** s*t_*****rs *un*tion in s**ur*_*****rs.py. T** pr*-p*t** v*rsion o* t*is *un*tion *i* not in*lu** t**