CVE-2024-42353

Advisory

The WebOb affected versions have a critical security vulnerability related to improper handling of the HTTP Location header during URL redirection. The issue arises when WebOb normalizes the Location header by combining the request's hostname with the destination URL using Python's `urlparse` and `urljoin` functions. If the destination URL begins with "//", `urlparse` interprets it as a URI without a scheme, using the following string as the hostname. Consequently, `urljoin` replaces the original request hostname with this new hostname, potentially redirecting users to a malicious site. This vulnerability could allow attackers to craft URLs that redirect users from trusted domains to malicious sites, posing significant security risks. The WebOb update ensures that such scenarios are handled correctly, preventing unintended redirects and securing the application against this attack.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

---

First release. Nothing is new, or everything is new, depending on how
you think about it.



Unreleased
----------

Security Fix
~~~~~~~~~~~~

- The use of WebOb's Response object to redirect a request to a new location
can lead to an open redirect if the Location header is not a full URI.

See https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
and CVE-2024-42353

Thanks to Sara Gao for the report

Resources

• https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
• https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42353