CVE-2024-42353

NameCVE-2024-42353
DescriptionWebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1078879

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-webob (PTS)jessie1.4-2vulnerable
stretch1:1.6.2-2vulnerable
buster1:1.8.5-1vulnerable
bullseye1:1.8.6-1.1vulnerable
bookworm1:1.8.6-3vulnerable
sid, trixie1:1.8.7-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-webobsourcejessie(unfixed)end-of-life
python-webobsource(unstable)(unfixed)1078879

Notes

[bookworm] - python-webob <no-dsa> (Minor issue)
[bullseye] - python-webob <postponed> (Minor issue)
https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
Fixed by: https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b (1.8.8)
[buster] - python-webob <postponed> (Minor issue)
[stretch] - python-webob <postponed> (Minor issue)
Search for package or bug name: Reporting problems