GHSA-373w-rj84-pv6x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-373w-rj84-pv6x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-373w-rj84-pv6x/GHSA-373w-rj84-pv6x.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-373w-rj84-pv6x
- Published
- 2023-06-29T15:02:16Z
- Modified
- 2025-02-14T05:31:32.051807Z
- Summary
- SafeURL-Python's hostname blocklist does not block FQDNs
- Details
-
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding
.to the end).Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6
Credit
https://github.com/Sim4n6
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-06-29T15:02:16Z" }- References
Affected packages
PyPI / safeurl-python
Package
- Name
- safeurl-python
- View open source insights on deps.dev
- Purl
- pkg:pypi/safeurl-python