VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 23, 2022· Updated Apr 9, 2025

Business Logic Errors in ikus060/rdiffweb

CVE-2022-4719

Description

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-4719 is a business logic vulnerability in rdiffweb prior to 2.5.5 that fails to notify users when a new SSH key is added, enabling unauthorized key addition.

Vulnerability

Description

CVE-2022-4719 is a business logic error in rdiffweb, a web-based backup management application [1]. The vulnerability exists in versions prior to 2.5.5 and involves the lack of notification when a new SSH key is added to a user's account [2]. This missing security control means that users are not alerted to changes in their authorized SSH keys, which can be exploited to gain unauthorized access to backups.

Exploitation

An attacker who has obtained valid credentials or compromised a user session can add a new SSH key to the victim's account without triggering any email or other notification [2]. The attacker does not need any special privileges beyond the ability to authenticate as the user. Once the key is added, the attacker can use it to authenticate via SSH and access the user's backup repositories.

Impact

Successful exploitation allows an attacker to gain persistent, unauthorized SSH access to the victim's backup data. This could lead to data exfiltration, tampering, or deletion of backups. The vulnerability undermines the security of the backup system by allowing stealthy addition of authentication keys.

Mitigation

The issue was fixed in rdiffweb version 2.5.5, which adds email notification to the user when a new SSH key is added [2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [3][4].

References
  1. GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
  2. Send notification on new SSH Key · ikus060/rdiffweb@bc4bed8
  3. NVD - CVE-2022-4719
  4. advisory-database/vulns/rdiffweb/PYSEC-2022-43005.yaml at main · pypa/advisory-database

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdiffwebPyPI
< 2.5.52.5.5

Affected products

2
  • ghsa-coords
    pkg:pypi/rdiffweb
    Range: < 2.5.5
  • ikus060/ikus060/rdiffwebv5
    Range: unspecified

Patches

1
bc4bed89affc

Send notification on new SSH Key

https://github.com/ikus060/rdiffwebPatrik DufresneDec 22, 2022via ghsa
commit
5 files changed · +78 1
  • rdiffweb/core/model/_user.py+1 0 modified
    @@ -182,6 +182,7 @@ def add_authorizedkey(self, key, comment=None):
                     _("Duplicate key. This key already exists or is associated to another user.")
                 )
         cherrypy.engine.publish('user_attr_changed', self, {'authorizedkeys': True})
+        cherrypy.engine.publish('authorizedkey_added', self, fingerprint=key.fingerprint, comment=comment)
 
     def add_access_token(self, name, expiration_time=None, length=16):
         """
  • rdiffweb/core/notification.py+17 0 modified
    @@ -45,6 +45,7 @@ def start(self):
         self.bus.log('Start Notification plugin')
         self.bus.publish('schedule_job', self.execution_time, self.notification_job)
         self.bus.subscribe('access_token_added', self.access_token_added)
+        self.bus.subscribe('authorizedkey_added', self.authorizedkey_added)
         self.bus.subscribe('user_attr_changed', self.user_attr_changed)
         self.bus.subscribe('user_password_changed', self.user_password_changed)
 
@@ -54,6 +55,7 @@ def stop(self):
         self.bus.log('Stop Notification plugin')
         self.bus.publish('unschedule_job', self.notification_job)
         self.bus.unsubscribe('access_token_added', self.access_token_added)
+        self.bus.unsubscribe('authorizedkey_added', self.authorizedkey_added)
         self.bus.unsubscribe('user_attr_changed', self.user_attr_changed)
         self.bus.unsubscribe('user_password_changed', self.user_password_changed)
 
@@ -77,6 +79,21 @@ def access_token_added(self, userobj, name):
         )
         self.bus.publish('queue_mail', to=userobj.email, subject=_("A new access token has been created"), message=body)
 
+    def authorizedkey_added(self, userobj, fingerprint, comment, **kwargs):
+        if not self.send_changed:
+            return
+
+        if not userobj.email:
+            logger.info("can't sent mail to user [%s] without an email", userobj.username)
+            return
+
+        # If the email attributes was changed, send a mail notification.
+        body = self.app.templates.compile_template(
+            "email_authorizedkey_added.html",
+            **{"header_name": self.app.cfg.header_name, 'user': userobj, 'comment': comment, 'fingerprint': fingerprint}
+        )
+        self.bus.publish('queue_mail', to=userobj.email, subject=_("A new SSH Key has been added"), message=body)
+
     def user_attr_changed(self, userobj, attrs={}):
         if not self.send_changed:
             return
  • rdiffweb/core/tests/test_notification.py+39 0 modified
    @@ -188,3 +188,42 @@ def test_password_change_with_same_value(self):
             subject='Password changed',
             message='<html>\n  <head></head>\n  <body>\n    <p>\n      <a>Hey admin,</a>\n    </p>\n    <p>You recently changed the password associated with your Rdiffweb account.</p>\n    <p>\n      If you did not make this change and believe your account has been compromised, please contact your administrator.\n    </p>\n  </body>\n</html>',
         )
+
+    def test_access_token_added(self):
+        # Given a user with a email.
+        user = UserObject.get_user(self.USERNAME)
+        user.email = 'password_change@test.com'
+        user.set_password('new_password')
+        user.add().commit()
+        self.listener.queue_email.reset_mock()
+
+        # When adding a new access token
+        user.add_access_token('TEST')
+
+        # Then a notification is sent to the user
+        self.listener.queue_email.assert_called_once_with(
+            to='password_change@test.com',
+            subject='A new access token has been created',
+            message='<html>\n  <head></head>\n  <body>\n    <p>\n      <a>Hey admin,</a>\n    </p>\n    <p>\n      <a>A new access token, named "TEST", has been created.</a>\n    </p>\n    <p>\n      If you did not make this change and believe your account has been compromised, please contact your administrator.\n    </p>\n  </body>\n</html>',
+        )
+
+    def test_authorizedkey_added(self):
+        # Given a user with a email.
+        user = UserObject.get_user(self.USERNAME)
+        user.email = 'password_change@test.com'
+        user.set_password('new_password')
+        user.add().commit()
+        self.listener.queue_email.reset_mock()
+
+        # When adding a new access token
+        user.add_authorizedkey(
+            key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSEN5VTn9MLituZvdYTZMbZEaMxe0UuU7BelxHkvxzSpVWtazrIBEc3KZjtVoK9F3+0kd26P4DzSQuPUl3yZDgyZZeXrF6p2GlEA7A3tPuOEsAQ9c0oTiDYktq5/Go8vD+XAZKLd//qmCWW1Jg4datkWchMKJzbHUgBrBH015FDbGvGDWYTfVyb8I9H+LQ0GmbTHsuTu63DhPODncMtWPuS9be/flb4EEojMIx5Vce0SNO9Eih38W7jTvNWxZb75k5yfPJxBULRnS5v/fPnDVVtD3JSGybSwKoMdsMX5iImAeNhqnvd8gBu1f0IycUQexTbJXk1rPiRcF13SjKrfXz ikus060@ikus060-t530",
+            comment="test@mysshkey",
+        )
+
+        # Then a notification is sent to the user
+        self.listener.queue_email.assert_called_once_with(
+            to='password_change@test.com',
+            subject='A new SSH Key has been added',
+            message='<html>\n  <head></head>\n  <body>\n    <p>\n      <a>Hey admin,</a>\n    </p>\n    <p>\n      <a>A new SSH Key, titled "test@mysshkey" with fingerprint "4d:42:8b:35:e5:55:71:f7:b3:0d:58:f9:b1:2c:9e:91" has been created in your account.</a>\n    </p>\n    <p>\n      If you did not make this change and believe your account has been compromised, please contact your administrator.\n    </p>\n  </body>\n</html>',
+        )
  • rdiffweb/templates/email_authorizedkey_added.html+14 0 added
    @@ -0,0 +1,14 @@
+<html>
+  <head></head>
+  <body>
+    <p>
+      <a>{% trans username=(user.fullname or user.username) %}Hey {{ username }},{% endtrans %}</a>
+    </p>
+    <p>
+      <a>{% trans %}A new SSH Key, titled "{{ comment }}" with fingerprint "{{ fingerprint }}" has been created in your account.{% endtrans %}</a>
+    </p>
+    <p>
+      {% trans %}If you did not make this change and believe your account has been compromised, please contact your administrator.{% endtrans %}
+    </p>
+  </body>
+</html>
  • README.md+7 1 modified
    @@ -108,7 +108,13 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
-## Next Release - 2.5.4
+## Next Release - 2.5.5
+
+* Fix loading of Charts in Status page
+* Ensure Gmail and other mail client doesn't create hyperlink automatically for any nodification sent by Rdiffweb to avoid phishing - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172)
+* Sent email notification to user when a new SSH Key get added - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172)
+
+## 2.5.4 (2022-12-19)
 
 * Discard `X-Forwarded-Host` headers credit to [Anishka Shukla](https://github.com/anishkashukla)
 * Create proper symbolic link of `chartkick.js` on Ubuntu Jammy to fix loading of Charts in web interface

Vulnerability mechanics

Root cause

"The application failed to notify users when a new SSH key was added to their account, preventing the detection of unauthorized account modifications."

Attack vector

An attacker who gains unauthorized access to a user's account could add a new SSH key to maintain persistent access without the legitimate user's knowledge. Because the application previously failed to send notifications for this action, the user would not be alerted to the compromise. This lack of notification constitutes a business logic error that hinders incident detection [patch_id=23188].

Affected code

The vulnerability involves the `rdiffweb/core/model/_user.py` and `rdiffweb/core/notification.py` files. Specifically, the system lacked a mechanism to notify users when a new SSH key was added to their account, which is a critical security event. The patch introduces the `authorizedkey_added` event and corresponding notification logic to address this.

What the fix does

The patch adds a new event, `authorizedkey_added`, which is triggered in `rdiffweb/core/model/_user.py` whenever an SSH key is successfully added to a user account. The `rdiffweb/core/notification.py` file was updated to subscribe to this event and send an email notification to the user. This ensures that users are alerted to changes in their account's authentication methods, allowing for faster detection of unauthorized access. A new email template was also created to support these notifications.

Preconditions

  • authThe attacker must have already gained access to the user's account to add an SSH key.

Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.