Miggo Logo
Miggo Vulnerability Database
CVE-2022-3327

CVE-2022-3327: Rdiffweb is missing authentication for critical function

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3327
GHSA ID
GHSA-99j5-fvg3-54pm
EPSS Score
0.2503%
CWE
CWE-306
Published
10/20/2022
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.5.02.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper session timeout handling. The key changes in auth_form.py show:

  1. The _is_login function's removal of the timeout check allowed sessions to remain valid indefinitely if not explicitly expired.
  2. The AuthForm.run method's original implementation lacked proper handling of absolute session timeouts, relying only on idle timeouts. The patch introduced multiple timeout dimensions (idle/absolute/persistent), indicating the previous single timeout mechanism was insufficient. These functions directly controlled session validation logic, and their incomplete timeout enforcement created the authentication bypass vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut**nti**tion *or *riti**l *un*tion in *it*u* r*pository ikus***/r*i**w** prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*ssion tim*out **n*lin*. T** k*y ***n**s in *ut*_*orm.py s*ow: *. T** _is_lo*in *un*tion's r*mov*l o* t** tim*out ****k *llow** s*ssions to r*m*in v*li* in***init*ly i* not *xpli*itly *xpir**. *. T** *ut**orm.ru