rdiffweb vulnerable to Authentication Bypass by Primary Weakness

GHSA-wf33-6x33-wcf9 · CVE-2022-4722 · PYSEC-2022-43008

Published Dec 27, 2022 · Modified Oct 25, 2024

Description

In rdiffweb prior to 2.5.5, the username field is not unique to users. This allows exploitation of primary key logic by creating the same name with different combinations & may allow unauthorized access.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-4722
WEB https://github.com/ikus060/rdiffweb/commit/d1aaa96b665a39fba9e98d6054a9de511ba0a837
PACKAGE https://github.com/ikus060/rdiffweb
WEB https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-43008.yaml
WEB https://huntr.dev/bounties/c62126dc-d9a6-4d3e-988d-967031876c58

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes