Home > Vulnerability Database > CVE-2024-42353

Mend.io Vulnerability Database

CVE-2024-42353

Good to know:

Date: August 14, 2024

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

Language: Python

Severity Score

6.1

Related Resources (5)

Url: https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b

Url: https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3

Url: https://github.com/Pylons/webob

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-42353

Url: https://www.mend.io/vulnerability-database/CVE-2024-42353

Severity Score

6.1

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Top Fix

Upgrade Version

Upgrade to version webob - 1.8.8

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-42353

Good to know:

Date: August 14, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?