[rdiffweb] rdiffweb 2.4.1 vulnerable to Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute. This makes it so that a user’s cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-3174
• https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e
• https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce
• https://github.com/advisories/GHSA-mjw4-xvx6-3grg