pysec - pysec-2024-168

pysec-2024-168

Vulnerability from pysec

Published

2024-10-09 19:15

Modified

2025-01-18 19:19

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Impacted products

Name	purl
taipy	pkg:pypi/taipy

Aliases

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "taipy",
            purl: "pkg:pypi/taipy",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "4.0.0",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
         versions: [
            "1.0.0",
            "1.1.0",
            "2.0.0",
            "2.1.0",
            "2.2.0",
            "2.3.0",
            "2.3.1",
            "2.4.0",
            "3.0.0",
            "3.1.0",
            "3.1.1",
         ],
      },
   ],
   aliases: [
      "CVE-2024-47833",
      "GHSA-r3jq-4r5c-j9hp",
   ],
   details: "Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
   id: "PYSEC-2024-168",
   modified: "2025-01-18T19:19:07.718423+00:00",
   published: "2024-10-09T19:15:14+00:00",
   references: [
      {
         type: "ADVISORY",
         url: "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp",
      },
      {
         type: "EVIDENCE",
         url: "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp",
      },
   ],
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
         type: "CVSS_V3",
      },
   ],
}

ghsa-r3jq-4r5c-j9hp

Vulnerability from github

Published

2024-08-27 19:50

Modified

2025-01-21 18:28

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Taipy has a Session Cookie without Secure and HTTPOnly flags

Details

Summary

Session cookie is without Secure and HTTPOnly flags.

Details

Please take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)

Occurrences: https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67

Proposed remediation: add Secure and HTTPOnly flags for cookies.

It could be like this: document.cookie = tprh=${tprh};path=/;Secure;HttpOnly;;

PoC

Screenshot:

Impact

Secure: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure. HttpOnly: This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie's value.

References CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute https://cwe.mitre.org/data/definitions/614.html CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - https://cwe.mitre.org/data/definitions/1004.html OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/ Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag

Other: Title: Encrypting the Web URL: https://www.eff.org/encrypt-the-web

Update (Required advisory information) - added severity, resource: https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set

Best regards,

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         database_specific: {
            last_known_affected_version_range: "<= 3.1.1",
         },
         package: {
            ecosystem: "PyPI",
            name: "taipy",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "0",
                  },
                  {
                     fixed: "4.0.0",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2024-47833",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-1004",
         "CWE-319",
         "CWE-614",
      ],
      github_reviewed: true,
      github_reviewed_at: "2024-08-27T19:50:59Z",
      nvd_published_at: "2024-10-09T19:15:14Z",
      severity: "MODERATE",
   },
   details: "### Summary\nSession cookie is without Secure and HTTPOnly flags.\n\n### Details\nPlease take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)\n\n**Occurrences**:\nhttps://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67\n\n**Proposed remediation:** add Secure and HTTPOnly flags for cookies.\n\nIt could be like this:\ndocument.cookie = `tprh=${tprh};path=/;Secure;HttpOnly;`;\n\n\n### PoC\n**Screenshot**:\n![image](https://github.com/Avaiga/taipy/assets/18367606/ea7d1bbd-ba27-447f-932b-3d33ffc1a2e7)\n\n\n### Impact\n**Secure**: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure.\n**HttpOnly:** This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie's value.\n\n**References**\n    CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute https://cwe.mitre.org/data/definitions/614.html\n    CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - https://cwe.mitre.org/data/definitions/1004.html\n    OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute\n    Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/\n    Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag\n\n**Other**:\nTitle: Encrypting the Web\nURL: https://www.eff.org/encrypt-the-web\n\nUpdate (Required advisory information) - added severity, resource: \nhttps://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set\n\nBest regards,",
   id: "GHSA-r3jq-4r5c-j9hp",
   modified: "2025-01-21T18:28:45Z",
   published: "2024-08-27T19:50:59Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47833",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/Avaiga/taipy",
      },
      {
         type: "WEB",
         url: "https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67",
      },
      {
         type: "WEB",
         url: "https://github.com/pypa/advisory-database/tree/main/vulns/taipy/PYSEC-2024-168.yaml",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
         type: "CVSS_V3",
      },
      {
         score: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
         type: "CVSS_V4",
      },
   ],
   summary: "Taipy has a Session Cookie without Secure and HTTPOnly flags",
}

cve-2024-47833

Vulnerability from cvelistv5

Published

2024-10-09 18:25

Modified

2024-10-09 19:55

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

References

▼	URL	Tags
	https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Avaiga	taipy	Version: < 4.0.0

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:avaiga:taipy:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "taipy",
                  vendor: "avaiga",
                  versions: [
                     {
                        lessThan: "4.0.0",
                        status: "affected",
                        version: "0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-47833",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-10-09T19:51:41.486824Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-09T19:55:10.993Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "taipy",
               vendor: "Avaiga",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.0.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
            },
         ],
         metrics: [
            {
               cvssV4_0: {
                  attackComplexity: "LOW",
                  attackRequirements: "PRESENT",
                  attackVector: "NETWORK",
                  baseScore: 6.3,
                  baseSeverity: "MEDIUM",
                  privilegesRequired: "NONE",
                  subAvailabilityImpact: "NONE",
                  subConfidentialityImpact: "NONE",
                  subIntegrityImpact: "NONE",
                  userInteraction: "NONE",
                  vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                  version: "4.0",
                  vulnAvailabilityImpact: "LOW",
                  vulnConfidentialityImpact: "LOW",
                  vulnIntegrityImpact: "LOW",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-614",
                     description: "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-1004",
                     description: "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-10-09T18:25:02.563Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp",
            },
         ],
         source: {
            advisory: "GHSA-r3jq-4r5c-j9hp",
            discovery: "UNKNOWN",
         },
         title: "Session Cookie without Secure and HTTPOnly flags in taipy",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-47833",
      datePublished: "2024-10-09T18:25:02.563Z",
      dateReserved: "2024-10-03T14:06:12.643Z",
      dateUpdated: "2024-10-09T19:55:10.993Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2024-168

Vulnerability from pysec

ghsa-r3jq-4r5c-j9hp

Vulnerability from github

Summary

Details

PoC

Impact

cve-2024-47833

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature