CVE-2023-24622 – safeurl-python

Package

Manager: pip
Name: safeurl-python
Vulnerable Version: >=0 <1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00211 pctl0.43684

Details

safeurl-python contains Server-Side Request Forgery ### Description In SafeURL it is possible to specify a list of domains that should be matched before a request is sent out. The regex used to compare domains did not work as intended. ### Impact The regex used was: `re.match("(?i)^%s" % domain, value)` This has two problems, first that only the beginning and not the end of the string is anchored. Second, that a dot in the domain matches any character as part of regex syntax. Therefore, an allowlist of ["victim.com"] could allow the domain "victimacomattacker.com" to be requested. This has lower impact since the usual attacker aim in an SSRF is to request internal resources such as private IP addresses rather than an attacker's own domain. But, in a case where SafeURL had specifically been used to try to limit requests to a particular allowlist, say for example a PDF renderer, the finding would be more severe. ### Patches Fixed in https://github.com/IncludeSecurity/safeurl-python/pull/5 ### References [Server-side request forgery (SSRF)](https://portswigger.net/web-security/ssrf)

Metadata

Created: 2023-01-27T01:04:27Z
Modified: 2024-11-26T16:13:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-jgh8-vchw-q3g7/GHSA-jgh8-vchw-q3g7.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-jgh8-vchw-q3g7
Finding: F100
Auto approve: 1