Skip to content

SafeURL-Python's hostname blocklist does not block FQDNs

Low severity GitHub Reviewed Published Jun 23, 2023 in IncludeSecurity/safeurl-python • Updated Jun 29, 2023

Package

pip SafeURL-Python (pip)

Affected versions

< 1.3

Patched versions

1.3

Description

Description

If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).

Impact

The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.

Patches

Fixed by IncludeSecurity/safeurl-python#6

Credit

https://github.com/Sim4n6

References

@includesec-ltennant includesec-ltennant published to IncludeSecurity/safeurl-python Jun 23, 2023
Published to the GitHub Advisory Database Jun 29, 2023
Reviewed Jun 29, 2023
Last updated Jun 29, 2023

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-373w-rj84-pv6x

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.