CVE-2024-42353: WebOb's location header normalization during redirect leads to open redirect
First published: Wed Aug 14 2024(Updated: )
### Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. ``` >>> parse.urlparse("//example.com/test/path") ParseResult(scheme='', netloc='example.com', path='/test/path', params='', query='', fragment='') ``` WebOb uses `urljoin` to take the request URI and joining the redirect location, so assuming the request URI is: `https://example.org//example.com/some/path`, and the URL to redirect to (for example by adding a slash automatically) is `//example.com/some/path/` that gets turned by `urljoin` into: ``` >>> parse.urljoin("https://example.org//attacker.com/some/path", "//attacker.com/some/path/") 'https://attacker.com/some/path/' ``` Which redirects from `example.org` where we want the user to stay to `attacker.com` ### Patches This issue is patched in WebOb 1.8.8 Older versions of WebOb continue to be vulnerable to this issue, and should be avoided. ### Workarounds Any use of the `Response` class that includes a `location` can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to. ### Thanks - Sara Gao This issue was reported via the [Pylons Project Security List](mailto:pylons-project-security@googlegroups.com)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/webob | <=1.8.7 | 1.8.8 |
| Pylonsproject Webob | <1.8.8 | |
| debian/python-webob | <=1:1.8.6-1.1<=1:1.8.6-3<=1:1.8.7-1 | |
| ubuntu/python-webob | <1:1.8.5-2ubuntu0.1 | 1:1.8.5-2ubuntu0.1 |
| ubuntu/python-webob | <1:1.8.6-1.1ubuntu0.1 | 1:1.8.6-1.1ubuntu0.1 |
| ubuntu/python-webob | <1:1.8.7-1ubuntu0.1.24.04.1 | 1:1.8.7-1ubuntu0.1.24.04.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
- https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
- https://nvd.nist.gov/vuln/detail/CVE-2024-42353
- https://github.com/advisories/GHSA-mg3v-6m49-jhp3 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2024-42353
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42353
- https://launchpad.net/bugs/cve/CVE-2024-42353
- https://ubuntu.com/security/CVE-2024-42353
- agent/weakness
- agent/title
- agent/type
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mg3v-6m49-jhp3
- alias/CVE-2024-42353
- agent/software-canonical-lookup
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/github-advisory
- collector/security-tracker-debian
- source/Debian
- agent/first-publish-date
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/tags
- agent/references
- agent/description
- agent/event
- agent/trending
- package-manager/pip
- vendor/pylonsproject
- canonical/pylonsproject webob
- package-manager/debian