Miggo Logo
Miggo Vulnerability Database
CVE-2022-3301

CVE-2022-3301: rdiffweb vulnerable to Improper Cleanup on Thrown Exception

2.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3301
GHSA ID
GHSA-qq29-5vjh-vxwr
EPSS Score
0.20986%
CWE
CWE-460
Published
9/27/2022
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.82.4.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch modifies the error_page function to replace the message with a generic one for 404 errors, explicitly stating the default implementation leaked path info. The added test case in test_page_error.py demonstrates the vulnerability by checking for path sanitization. The CWE-460 description matches this pattern of improper exception cleanup exposing sensitive information through unhandled error messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w** prior to v*rsion *.*.* is vuln*r**l* to Improp*r *l**nup on T*rown *x**ption. T*is *oul* *llow *n *tt**k*r to *ispl*y * m*ss*** o* t**ir **oi** onto * w** p***. V*rsion *.*.* *ont*ins * *ix *or t*is issu*.

Reasoning

T** *it*u* p*t** mo*i*i*s t** *rror_p*** *un*tion to r*pl*** t** m*ss*** wit* * **n*ri* on* *or *** *rrors, *xpli*itly st*tin* t** ****ult impl*m*nt*tion l**k** p*t* in*o. T** ***** t*st **s* in t*st_p***_*rror.py **monstr*t*s t** vuln*r**ility *y **