Headline
GHSA-373w-rj84-pv6x: SafeURL-Python's hostname blocklist does not block FQDNs
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).
Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6
Credit
https://github.com/Sim4n6
Package
pip SafeURL-Python (pip)
Affected versions
< 1.3
Patched versions
1.3
Description
Description
If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).
Impact
The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.
Patches
Fixed by IncludeSecurity/safeurl-python#6
Credit
https://github.com/Sim4n6
References
- GHSA-373w-rj84-pv6x
- IncludeSecurity/safeurl-python#6
- IncludeSecurity/safeurl-python@c4f9677
includesec-ltennant published to IncludeSecurity/safeurl-python
Jun 23, 2023
Published to the GitHub Advisory Database
Jun 29, 2023
Reviewed
Jun 29, 2023
Last updated
Jun 29, 2023