CVE-2024-42353

14.08.2024, 21:15

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_M	CNA	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Vendor	Product	Version
pylonsproject	webob	𝑥 < 1.8.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-webob

bullseye	postponed
bookworm	no-dsa
sid	1:1.8.9-1 fixed
trixie	1:1.8.9-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-webob

plucky	Fixed 1:1.8.7-1ubuntu1 released
oracular	Fixed 1:1.8.7-1ubuntu1 released
noble	Fixed 1:1.8.7-1ubuntu0.1.24.04.1 released
jammy	Fixed 1:1.8.6-1.1ubuntu0.1 released
focal	Fixed 1:1.8.5-2ubuntu0.1 released
bionic	needs-triage
xenial	needs-triage

Known Exploits!

https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b

https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3