CVE-2024-42353

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: WebOb versions prior to 1.8.8

Description: The issue is related to the handling of HTTP Location headers in WebOb, where the urlparse and urljoin functions can be exploited to redirect users to arbitrary URLs. This occurs when the urlparse function treats a string starting with // as a URI without a scheme, and the urljoin function uses the hostname from the second part of the string, replacing the original hostname from the request. This can allow a remote attacker to redirect users to malicious sites.

Recommendations: For WebOb versions prior to 1.8.8, upgrade to version 1.8.8 to patch the vulnerability. As a temporary workaround, consider rewriting any use of the Response class that includes a location to always pass a full URI that includes the hostname to redirect the user to. Restrict access to the vulnerable urlparse and urljoin functions to minimize the risk of exploitation. Avoid using the // notation at the start of URLs to prevent potential redirects to malicious sites.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

ALT-PU-2024-16984

ALT-PU-2024-17187

AZL-47820

AZL-47826

BDU:2024-07761

CVE-2024-42353

ECHO-7481-8FEB-D02B

GHSA-MG3V-6M49-JHP3

MGASA-2024-0308

OESA-2024-2043

OPENSUSE-SU-2024:14279-1

OPENSUSE-SU-2024_2970-1

OPENSUSE-SU-2024_3116-1

PYSEC-2024-188

RHSA-2024:6775

RHSA-2024:6827

RHSA-2024:7182

RHSA-2024:7187

RHSA-2024:7941

RHSA-2024:9983

RHSA-2024:9989

RHSA-2025:4664

RHSA-2025:9775

SUSE-SU-2024:2969-1

SUSE-SU-2024:2970-1

SUSE-SU-2024:3116-1

SUSE-SU-2024_2969-1

SUSE-SU-2024_3116-1

USN-6984-1

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Suse

Ubuntu

Webob

CVE-2024-42353

Weakness Enumeration

Related Identifiers

Affected Products

References · 44