CVE-2024-42353

WebOb's location header normalization during redirect leads to open redirect

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

MITRE
RedHat

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

A vulnerability was found in the WebOb package. WebOb normalizes the HTTP Location header using urlparse and urljoin. If the URL starts with //, urlparse treats the following part as the hostname, and replaces the original request's hostname. This issue, combined with user interaction, may become a vulnerability.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-30 CVE Reserved
2024-08-14 CVE Published
2024-08-15 CVE Updated
2024-08-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC

References (4)

URL	Tag	Source
https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3	X_refsource_confirm
https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-42353	2024-11-21
https://bugzilla.redhat.com/show_bug.cgi?id=2305004	2024-11-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pylons Search vendor "Pylons"		Webob Search vendor "Pylons" for product "Webob"				<= 1.8.7 Search vendor "Pylons" for product "Webob" and version " <= 1.8.7"		en		Affected