https://bugzilla.suse.com/show_bug.cgi?id=1229427 Bug ID: 1229427 Summary: VUL-0: CVE-2024-39338: python-nbdime: axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/417034/ OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: python-maintainers@suse.com Reporter: camila.matos@suse.com QA Contact: security-team@suse.de CC: camila.matos@suse.com, security-team@suse.de, smash_bz@suse.de Blocks: 1229421 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1229421 +++ axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39338 https://www.cve.org/CVERecord?id=CVE-2024-39338 https://github.com/axios/axios/releases https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html https://bugzilla.redhat.com/show_bug.cgi?id=2304369 -- You are receiving this mail because: You are on the CC list for the bug.