GHSA-373w-rj84-pv6x

Source

https://github.com/advisories/GHSA-373w-rj84-pv6x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-373w-rj84-pv6x/GHSA-373w-rj84-pv6x.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-373w-rj84-pv6x

Published

2023-06-29T15:02:16Z

Modified

2025-02-14T05:31:32.051807Z

Summary

SafeURL-Python's hostname blocklist does not block FQDNs

Details

Description

If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).

Impact

The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.

Patches

Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6

Credit

https://github.com/Sim4n6

Database specific

{
    "github_reviewed_at": "2023-06-29T15:02:16Z",
    "github_reviewed": true,
    "cwe_ids": [],
    "severity": "LOW",
    "nvd_published_at": null
}

References

Affected packages

PyPI / safeurl-python

Package

Name: safeurl-python; View open source insights on deps.dev
Purl: pkg:pypi/safeurl-python

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3

Affected versions

1.*

1.0

1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-373w-rj84-pv6x/GHSA-373w-rj84-pv6x.json"