Bug ID	1229427
Summary	VUL-0: CVE-2024-39338: python-nbdime: axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs
Classification	openSUSE
Product	openSUSE Distribution
Version	Leap 15.6
Hardware	Other
URL	https://smash.suse.de/issue/417034/
OS	Other
Status	NEW
Severity	Critical
Priority	P5 - None
Component	Security
Assignee	python-maintainers@suse.com
Reporter	camila.matos@suse.com
QA Contact	security-team@suse.de
CC	camila.matos@suse.com, security-team@suse.de, smash_bz@suse.de
Blocks	1229421
Target Milestone	---
Found By	Security Response Team
Blocker	---

+++ This bug was initially created as a clone of Bug #1229421 +++

axios 1.7.2 allows SSRF via unexpected behavior where requests for path
relative URLs get processed as protocol relative URLs.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39338
https://www.cve.org/CVERecord?id=CVE-2024-39338
https://github.com/axios/axios/releases
https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html
https://bugzilla.redhat.com/show_bug.cgi?id=2304369

You are receiving this mail because:

You are on the CC list for the bug.