7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-3371

GHSA ID

GHSA-3fhq-72hw-jqwv

EPSS Score

0.61082%

CWE

CWE-770

Published

10/1/2022

Updated

10/25/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3371

CVE-2022-3371: rdiffweb's lack of token name length limit can result in DoS or memory corruption

rdiffweb prior to 2.5.0a3 is vulnerable to Allocation of Resources Without Limits or Throttling. A lack of limit in the length of the Token name parameter can result in denial of service or memory corruption. Version 2.5.0a3 fixes this issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-3371

CVE-2022-3371:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-3371

GHSA ID

GHSA-3fhq-72hw-jqwv

EPSS Score

0.61082%

CWE

CWE-770

Published

10/1/2022

Updated

10/25/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rdiffweb	pip	< 2.5.0a3	2.5.0a3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from the Token name field in page_pref_tokens.py where the commit added a Length validator (max=256). The pre-patch code only had DataRequired(), leaving it vulnerable to resource exhaustion via long inputs. The Fullname field fixes are related but less critical, as the CVE specifically emphasizes the Token name parameter. The test cases (test_add_access_token_with_name_too_long) confirm the token name validation was the primary attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-3371: rdiffweb's lack of token name length limit can result in DoS or memory corruption

CVE-2022-3371:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2022-3371: rdiffweb's lack of token name length limit can result in DoS or memory corruption

7.5

7.5

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI