Improper Access Control in ikus060/rdiffweb
Description
Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in rdiffweb before 2.5.5 allowed users to add SSH keys already associated with other users, enabling potential unauthorized access.
Vulnerability
rdiffweb prior to version 2.5.5 suffered from an improper access control vulnerability that allowed users to add SSH keys already associated with other accounts. The root cause was the lack of a uniqueness constraint on SSH key fingerprints across all users, enabling duplicate key registration [2].
Exploitation
Any authenticated user could exploit this by adding a public SSH key that was already linked to another user's account via the web interface. No elevated privileges were required; the attacker simply needed to know or obtain a valid public key belonging to another user [1][2].
Impact
An attacker who successfully added a duplicate SSH key could potentially authenticate as the victim user for SSH-based operations, such as accessing backup repositories managed by rdiffweb. This could lead to unauthorized data access, modification, or deletion, compromising the confidentiality and integrity of backups [3][4].
Mitigation
The issue was addressed in rdiffweb version 2.5.5 by enforcing a unique index on SSH key fingerprints across all users. Users are strongly advised to upgrade to version 2.5.5 or later to prevent exploitation [2][3].
- GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
- Make sure that all ssh keys are unique, regardless of the user · ikus060/rdiffweb@c4a19cf
- NVD - CVE-2022-4724
- advisory-database/vulns/rdiffweb/PYSEC-2022-43010.yaml at main · pypa/advisory-database
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rdiffwebPyPI | < 2.5.5 | 2.5.5 |
Affected products
2- ikus060/ikus060/rdiffwebv5Range: unspecified
Patches
1c4a19cf67d57Make sure that all ssh keys are unique, regardless of the user
5 files changed · +64 −7
rdiffweb/core/model/__init__.py+21 −2 modified@@ -19,12 +19,12 @@ import sys import cherrypy -from sqlalchemy import event +from sqlalchemy import event, func from sqlalchemy.exc import IntegrityError from ._repo import RepoObject # noqa from ._session import DbSession, SessionObject # noqa -from ._sshkey import SshKey # noqa +from ._sshkey import SshKey, sshkey_fingerprint_index # noqa from ._token import Token # noqa from ._user import DuplicateSSHKeyError, UserObject, user_username_index # noqa @@ -137,3 +137,22 @@ def db_after_create(target, connection, **kw): logger.error(msg) print(msg, file=sys.stderr) raise SystemExit(12) + + # Fix SSH Key uniqueness - since 2.5.4 + if not _index_exists(connection, 'sshkey_fingerprint_index'): + duplicate_sshkeys = ( + SshKey.query.with_entities(SshKey.fingerprint) + .group_by(SshKey.fingerprint) + .having(func.count(SshKey.fingerprint) > 1) + ).all() + try: + sshkey_fingerprint_index.create() + except IntegrityError: + msg = ( + 'Failure to upgrade your database to make SSH Keys unique. ' + 'You must downgrade and deleted duplicate SSH Keys. ' + '%s' % '\n'.join([str(k) for k in duplicate_sshkeys]), + ) + logger.error(msg) + print(msg, file=sys.stderr) + raise SystemExit(12)
rdiffweb/core/model/_sshkey.py+5 −1 modified@@ -16,7 +16,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import cherrypy -from sqlalchemy import Column, Integer, Text +from sqlalchemy import Column, Index, Integer, Text Base = cherrypy.tools.db.get_base() @@ -27,3 +27,7 @@ class SshKey(Base): fingerprint = Column('Fingerprint', Text) key = Column('Key', Text, unique=True, primary_key=True) userid = Column('UserID', Integer, nullable=False) + + +# Make finger print unique +sshkey_fingerprint_index = Index('sshkey_fingerprint_index', SshKey.fingerprint, unique=True)
rdiffweb/core/model/tests/test_user.py+34 −2 modified@@ -325,15 +325,47 @@ def test_add_authorizedkey_without_file(self): def test_add_authorizedkey_duplicate(self): # Read the pub key key = self._read_ssh_key() - # Add the key to the user + # Given a user with a SSH Key userobj = UserObject.get_user(self.USERNAME) userobj.add_authorizedkey(key) userobj.commit() - # Add the same key + + # When adding the same identical key. + # Then an error is raised with self.assertRaises(DuplicateSSHKeyError): userobj.add_authorizedkey(key) userobj.commit() + def test_add_authorizedkey_duplicate_new_comment(self): + # Read the pub key + key = self._read_ssh_key() + # Given a user with a SSH Key + userobj = UserObject.get_user(self.USERNAME) + userobj.add_authorizedkey(key) + userobj.commit() + + # When adding the same key with a different comment + # Then an error is raised + with self.assertRaises(DuplicateSSHKeyError): + userobj.add_authorizedkey(key, comment="new comment") + userobj.commit() + + def test_add_authorizedkey_duplicate_new_user(self): + # Read the pub key + key = self._read_ssh_key() + # Given a user with a SSH Key + userobj = UserObject.get_user(self.USERNAME) + userobj.add_authorizedkey(key) + userobj.commit() + + # When adding the same key to a different user + # Then an error is raised + newuser = UserObject.add_user("newuser") + newuser.commit() + with self.assertRaises(DuplicateSSHKeyError): + newuser.add_authorizedkey(key, comment="new comment") + newuser.commit() + def test_add_authorizedkey_with_file(self): """ Add an ssh key for a user with an authorizedkey file.
rdiffweb/core/model/_user.py+3 −2 modified@@ -159,7 +159,7 @@ def add_authorizedkey(self, key, comment=None): assert key key = authorizedkeys.check_publickey(key) - # Remove option, replace comments. + # Remove option & Remove comment for SQL storage key = authorizedkeys.AuthorizedKey( options=None, keytype=key.keytype, key=key.key, comment=comment or key.comment ) @@ -176,7 +176,8 @@ def add_authorizedkey(self, key, comment=None): # Also look in database. logger.info("add key [%s] to [%s] database", key, self.username) try: - SshKey(userid=self.userid, fingerprint=key.fingerprint, key=key.getvalue()).add().flush() + sshkey = SshKey(userid=self.userid, fingerprint=key.fingerprint, key=key.getvalue()) + sshkey.add().flush() except IntegrityError: raise DuplicateSSHKeyError( _("Duplicate key. This key already exists or is associated to another user.")
README.md+1 −0 modified@@ -115,6 +115,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/ * Sent email notification to user when a new SSH Key get added - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) * Ratelimit "Resend code to my email" in Two-Factor Authentication view - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) * Username are not case-insensitive - credits to [raiders0786](https://www.linkedin.com/in/chirag-agrawal-770488144/) +* Make sure that all ssh keys are unique, regardless of the user - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) Breaking changes:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m8r9-qxx8-mrxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4724ghsaADVISORY
- github.com/ikus060/rdiffweb/commit/c4a19cf67d575c4886171b8efcbf4675d51f3929ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-43010.yamlghsaWEB
- huntr.dev/bounties/e6fb1931-8d9c-4895-be4a-59839b4b6445ghsaWEB
News mentions
0No linked articles in our index yet.