pysec - pysec-2024-188

PYSEC-2024-188

Vulnerability from pysec - Published: 2024-08-14 21:15 - Updated: 2025-01-19 04:23

Details

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the start of a string as a URI without a scheme, and then treats the next part as the hostname. urljoin will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impacted products

Name	purl
webob	pkg:pypi/webob

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "webob",
        "purl": "pkg:pypi/webob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f689bcf4f0a1f64f1735b1d5069aef5be6974b5b"
            }
          ],
          "repo": "https://github.com/pylons/webob",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8",
        "0.8.1",
        "0.8.2",
        "0.8.3",
        "0.8.4",
        "0.8.5",
        "0.9",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.6.1",
        "0.9.7",
        "0.9.7.1",
        "0.9.8",
        "1.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.1",
        "1.1.1",
        "1.1b2",
        "1.1beta1",
        "1.1rc1",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2b1",
        "1.2b2",
        "1.2b3",
        "1.2rc1",
        "1.3",
        "1.3.1",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.5.0",
        "1.5.0a0",
        "1.5.0a1",
        "1.5.0b0",
        "1.5.1",
        "1.6.0",
        "1.6.0a0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.7.0",
        "1.7.0rc1",
        "1.7.0rc2",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.8.0",
        "1.8.0rc1",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42353",
    "GHSA-mg3v-6m49-jhp3"
  ],
  "details": "WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python\u0027s urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.",
  "id": "PYSEC-2024-188",
  "modified": "2025-01-19T04:23:01.908824+00:00",
  "published": "2024-08-14T21:15:17+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG3V-6M49-JHP3

Vulnerability from github – Published: 2024-08-14 17:48 – Updated: 2025-01-21 18:00

Summary

WebOb's location header normalization during redirect leads to open redirect

Details

Impact

When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the start of a string as a URI without a scheme, and then treats the next part as the hostname. urljoin will then use that hostname from the second part as the hostname replacing the original one from the request.

>>> parse.urlparse("//example.com/test/path")
ParseResult(scheme='', netloc='example.com', path='/test/path', params='', query='', fragment='')

WebOb uses urljoin to take the request URI and joining the redirect location, so assuming the request URI is: https://example.org//example.com/some/path, and the URL to redirect to (for example by adding a slash automatically) is //example.com/some/path/ that gets turned by urljoin into:

>>> parse.urljoin("https://example.org//attacker.com/some/path", "//attacker.com/some/path/")
'https://attacker.com/some/path/'

Which redirects from example.org where we want the user to stay to attacker.com

Patches

This issue is patched in WebOb 1.8.8

Older versions of WebOb continue to be vulnerable to this issue, and should be avoided.

Workarounds

Any use of the Response class that includes a location can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to.

Thanks

Sara Gao

This issue was reported via the Pylons Project Security List

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "webob"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-14T17:48:06Z",
    "nvd_published_at": "2024-08-14T21:15:17Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python\u0027s urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request.\n\n```\n\u003e\u003e\u003e parse.urlparse(\"//example.com/test/path\")\nParseResult(scheme=\u0027\u0027, netloc=\u0027example.com\u0027, path=\u0027/test/path\u0027, params=\u0027\u0027, query=\u0027\u0027, fragment=\u0027\u0027)\n```\n\nWebOb uses `urljoin` to take the request URI and joining the redirect location, so assuming the request URI is: `https://example.org//example.com/some/path`, and the URL to redirect to (for example by adding a slash automatically) is `//example.com/some/path/` that gets turned by `urljoin` into:\n\n```\n\u003e\u003e\u003e parse.urljoin(\"https://example.org//attacker.com/some/path\", \"//attacker.com/some/path/\")\n\u0027https://attacker.com/some/path/\u0027\n```\n\nWhich redirects from `example.org` where we want the user to stay to `attacker.com`\n\n\n### Patches\n\nThis issue is patched in WebOb 1.8.8\n\nOlder versions of WebOb continue to be vulnerable to this issue, and should be avoided.\n\n### Workarounds\n\nAny use of the `Response` class that includes a `location` can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to.\n\n### Thanks\n\n- Sara Gao\n\nThis issue was reported via the [Pylons Project Security List](mailto:pylons-project-security@googlegroups.com)\n",
  "id": "GHSA-mg3v-6m49-jhp3",
  "modified": "2025-01-21T18:00:40Z",
  "published": "2024-08-14T17:48:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Pylons/webob"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/webob/PYSEC-2024-188.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "WebOb\u0027s location header normalization during redirect leads to open redirect"
}

CVE-2024-42353 (GCVE-0-2024-42353)

Vulnerability from cvelistv5 – Published: 2024-08-14 20:12 – Updated: 2024-08-15 14:04

Summary

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Pylons/webob/security/advisori…	x_refsource_CONFIRM
	https://github.com/Pylons/webob/commit/f689bcf4f0…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Pylons	webob	Affected: <= 1.8.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42353",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T14:02:15.377428Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T14:04:01.806Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "webob",
          "vendor": "Pylons",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python\u0027s urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-14T20:12:30.077Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3"
        },
        {
          "name": "https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b"
        }
      ],
      "source": {
        "advisory": "GHSA-mg3v-6m49-jhp3",
        "discovery": "UNKNOWN"
      },
      "title": "WebOb\u0027s location header normalization during redirect leads to open redirect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-42353",
    "datePublished": "2024-08-14T20:12:30.077Z",
    "dateReserved": "2024-07-30T14:01:33.922Z",
    "dateUpdated": "2024-08-15T14:04:01.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2024-188

GHSA-MG3V-6M49-JHP3

Impact

Patches

Workarounds

Thanks

CVE-2024-42353 (GCVE-0-2024-42353)

Tags

Sightings

Nomenclature