CVE-2019-1020006

Name of the Vulnerable Software and Affected Versions: Invenio-App versions prior to 1.1.1

Description: A host header injection attack has been identified in Invenio-App. This issue can be exploited if the web server is configured to route all requests to the application, the APP ALLOWED HOSTS configuration variable is relied upon to whitelist allowed host headers, and Flask's request.host is not evaluated during request handling. This can occur in views that do not evaluate request.host, such as those using url for to generate external URLs. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Invenio-App versions prior to 1.1.1, upgrade to version 1.1.1 or later to fully fix the issue. As a temporary workaround, configure your web server to ensure that it never routes requests with a wrong host header to your application. This can be achieved by defining two virtual hosts: a default virtual host that acts as a catch-all and an application virtual host that is configured to only reply to a whitelist of host headers. Alternatively, include the following code snippet in your application to force evaluation of request.host:

@app.before request
def before request():
  request.host