CVE-2024-47833 - OpenCVE

Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Avaiga	Taipy

No data.

No data.

References

Link	Providers
https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp

History

Wed, 09 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Avaiga Avaiga taipy
CPEs		cpe:2.3:a:avaiga:taipy::::::::
Vendors & Products		Avaiga Avaiga taipy
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 09 Oct 2024 18:45:00 +0000

Type	Values Removed	Values Added
Description		Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Title		Session Cookie without Secure and HTTPOnly flags in taipy
Weaknesses		CWE-1004 CWE-614
References		https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-09T18:25:02.563Z

Updated: 2024-10-09T19:55:10.993Z

Reserved: 2024-10-03T14:06:12.643Z

Link: CVE-2024-47833

Vulnrichment

Updated: 2024-10-09T19:54:51.487Z

NVD

Status : Received

Published: 2024-10-09T19:15:14.793

Modified: 2024-10-09T19:15:14.793

Link: CVE-2024-47833

Redhat

No data.

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47833", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-09T19:51:41.486824Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:avaiga:taipy:*:*:*:*:*:*:*:*"], "vendor": "avaiga", "product": "taipy", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T19:54:51.487Z"}}], "cna": {"title": "Session Cookie without Secure and HTTPOnly flags in taipy", "source": {"advisory": "GHSA-r3jq-4r5c-j9hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Avaiga", "product": "taipy", "versions": [{"status": "affected", "version": "< 4.0.0"}]}], "references": [{"url": "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp", "name": "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-614", "description": "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1004", "description": "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-09T18:25:02.563Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47833", "state": "PUBLISHED", "dateUpdated": "2024-10-09T19:55:10.993Z", "dateReserved": "2024-10-03T14:06:12.643Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-09T18:25:02.563Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2024-47833", "lastModified": "2024-10-09T19:15:14.793", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-09T19:15:14.793", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1004"}, {"lang": "en", "value": "CWE-614"}], "source": "security-advisories@github.com", "type": "Primary"}]}