Miggo Logo
Miggo Vulnerability Database
CVE-2022-3457

CVE-2022-3457: Origin Validation Error in rdiffweb

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3457
GHSA ID
GHSA-824x-jcxf-hpfg
EPSS Score
0.70803%
CWE
CWE-346
Published
10/14/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.5.0a52.5.0a5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The critical vulnerability stems from improper Origin header validation in the set_headers function. The commit diff shows the validation was changed from a prefix check (startswith) to an exact match comparison. The original implementation's use of startswith() allowed malicious origins with matching prefixes (e.g., 'http://victim.com.attacker.net' matching 'http://victim.com'). The added test case 'test_post_with_prefixed_origin' demonstrates this vulnerability by showing prefixed origins were previously accepted. The CWE-346 classification and CVSS 9.8 score confirm the critical nature of this origin validation flaw in the identified function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

ikus***/r*i**w** prior to *.*.*** *i* not *n*or** ori*in v*li**tion in w** tr***i*. Us*rs *r* **vis** to up*r*** to v*rsion *.*.***.

Reasoning

T** *riti**l vuln*r**ility st*ms *rom improp*r Ori*in *****r v*li**tion in t** s*t_*****rs *un*tion. T** *ommit *i** s*ows t** v*li**tion w*s ***n*** *rom * pr**ix ****k (st*rtswit*) to *n *x**t m*t** *omp*rison. T** ori*in*l impl*m*nt*tion's us* o*