Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNzN3LXJqODQtcHY2eM4AA0In
SafeURL-Python's hostname blocklist does not block FQDNs
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding .
to the end).
Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6
Credit Permalink: https://github.com/advisories/GHSA-373w-rj84-pv6x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNzN3LXJqODQtcHY2eM4AA0In
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 10 months ago
Identifiers: GHSA-373w-rj84-pv6x
References:
- https://github.com/IncludeSecurity/safeurl-python/security/advisories/GHSA-373w-rj84-pv6x
- https://github.com/IncludeSecurity/safeurl-python/pull/6
- https://github.com/IncludeSecurity/safeurl-python/commit/c4f9677f8790a58eaa1953bac286cca75a5f580e
- https://github.com/advisories/GHSA-373w-rj84-pv6x
Blast Radius: 0.0
Affected Packages
pypi:SafeURL-Python
Dependent packages: 0Dependent repositories: 1
Downloads: 521 last month
Affected Version Ranges: < 1.3
Fixed in: 1.3
All affected versions:
All unaffected versions: