logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-42353 webob

Package

Manager: pip
Name: webob
Vulnerable Version: >=0 <1.8.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.0015 pctl0.36149

Details

WebOb's location header normalization during redirect leads to open redirect ### Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. ``` >>> parse.urlparse("//example.com/test/path") ParseResult(scheme='', netloc='example.com', path='/test/path', params='', query='', fragment='') ``` WebOb uses `urljoin` to take the request URI and joining the redirect location, so assuming the request URI is: `https://example.org//example.com/some/path`, and the URL to redirect to (for example by adding a slash automatically) is `//example.com/some/path/` that gets turned by `urljoin` into: ``` >>> parse.urljoin("https://example.org//attacker.com/some/path", "//attacker.com/some/path/") 'https://attacker.com/some/path/' ``` Which redirects from `example.org` where we want the user to stay to `attacker.com` ### Patches This issue is patched in WebOb 1.8.8 Older versions of WebOb continue to be vulnerable to this issue, and should be avoided. ### Workarounds Any use of the `Response` class that includes a `location` can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to. ### Thanks - Sara Gao This issue was reported via the [Pylons Project Security List](mailto:pylons-project-security@googlegroups.com)

Metadata

Created: 2024-08-14T17:48:06Z
Modified: 2025-01-21T18:00:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-mg3v-6m49-jhp3/GHSA-mg3v-6m49-jhp3.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-mg3v-6m49-jhp3
Finding: F156
Auto approve: 1