Miggo Logo
Miggo Vulnerability Database
CVE-2023-0055

CVE-2023-0055: Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0055
GHSA ID
GHSA-m3g7-wrrq-v5c8
EPSS Score
0.2657%
CWE
CWE-319
Published
1/5/2023
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyload-ngpip< 0.5.0b3.dev320.5.0b3.dev32

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing Secure attribute on session cookies. The commit diff shows the fix was adding SESSION_COOKIE_SECURE configuration in the _configure_session method. This function directly controls cookie security attributes, and its pre-patch version failed to set the Secure flag despite the system supporting HTTPS, making it the root cause. The file path and function name are explicitly shown in the provided diff context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*nsitiv* *ooki* in *TTPS S*ssion Wit*out 'S**ur*' *ttri*ut* in *it*u* r*pository pylo**/pylo** prior to *.*.***.**v**. T** S**ur* *ttri*ut* *or s*nsitiv* *ooki*s in *TTPS s*ssions is not s*t, w*i** *oul* **us* t** us*r ***nt to s*n* t*os* *ooki*s in

Reasoning

T** vuln*r**ility st*ms *rom missin* S**ur* *ttri*ut* on s*ssion *ooki*s. T** *ommit *i** s*ows t** *ix w*s ***in* S*SSION_*OOKI*_S**UR* *on*i*ur*tion in t** _*on*i*ur*_s*ssion m*t*o*. T*is *un*tion *ir**tly *ontrols *ooki* s**urity *ttri*ut*s, *n* i