CVE-2024-42353 — Open Redirect in Webob

CWE-601 — Open Redirect8 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 52.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pylonsproject Webob Pylons Webob Debian Python-webob +8 more

Timeline

PublishedAug 14

Latest updateSep 2

Description

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages12 packages

▶debiandebian/python-webob< python-webob 1:1.8.9-1 (forky)

▶msrcmsrc/azl3_python-webob_1.8.7-1_on_azure_linux_3.0

▶msrcmsrc/azl3_python-webob_1.8.8-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_python-webob_1.8.7-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_python-webob_1.8.8-1_on_cbl_mariner_2.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-42353: WebOb provides objects for HTTP requests and responses↗2024-08-14

▶

OSV

WebOb's location header normalization during redirect leads to open redirect↗2024-08-14

▶

GHSA

WebOb's location header normalization during redirect leads to open redirect↗2024-08-14

▶

📋Vendor Advisories

Ubuntu

WebOb vulnerability↗2024-09-02

▶

Red Hat

webob: WebOb's location header normalization during redirect leads to open redirect↗2024-08-14

▶

Microsoft

WebOb's location header normalization during redirect leads to open redirect↗2024-08-13

▶

Debian

CVE-2024-42353: python-webob - WebOb provides objects for HTTP requests and responses. When WebOb normalizes th...↗2024

▶