CVE-2022-3269 Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7.

This is a known issue and has been fixed in the latest version 2.4.7. To fix the issue, update your version of RDiffWEB to 2.4.7. If the issue persists, you can downgrade your version of RDiffWEB to 2.3.15. rdiff-web --version Stable: 2.3.15 Unstable: 2.4.6

Next, follow the steps below to fix the issue and prevent repository fixation. Remove RDiffWEB from the /usr/bin directory on your Linux server. Remove RDiffWEB from the /usr/local/bin directory on your Linux server. Remove RDiffWEB from the /usr/libexec/ directory on your Linux server. Remove RDiffWEB from the /usr/share/ directory on your Linux server. Remove RDiffWEB from the /usr/local/share/ directory on your Linux server. Remove RDiffWEB from the /usr/local/lib/ directory on your Linux server. Uninstall RDiffWEB from your system using the package manager. Uninstall RDiffWEB from your system using the --no-sigint option. Uninstall RDiffWEB from your system using the --no-start option. Uninstall RDiffWEB from your system using the --no-depend option. Uninstall RDiffWEB from your system using the --no-suggest option. Uninstall

References:

[1] http://blog.diffwebrepository.com/2018/05/13/CVE-2022-3269-Differential-Diffs-Repository-Fixes/ [2] https://www.diffweb.com/download

DiffWEB 2.4.7 is released to address CVE-2022-3269

Installing RDiffWEB using the package manager

You can install RDiffWEB using the package manager on your Linux server.
To do this, run the following command:
apt-get install rdiffweb

Timeline

Published on: 09/23/2022 10:15:00 UTC
Last modified on: 09/26/2022 17:05:00 UTC

References

• https://huntr.dev/bounties/67c25969-5e7a-4424-817e-e1a918f63cc6
• https://github.com/ikus060/rdiffweb/commit/39e7dcd4a1f44d2a7bd92b79d78a800910b1b22b
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3269