[Bug 1229427] New: VUL-0: CVE-2024-39338: python-nbdime: axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Bug ID: 1229427 Summary: VUL-0: CVE-2024-39338: python-nbdime: axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/417034/ OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Security Assignee: python-maintainers@suse.com Reporter: camila.matos@suse.com QA Contact: security-team@suse.de CC: camila.matos@suse.com, security-team@suse.de, smash_bz@suse.de Blocks: 1229421 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1229421 +++ axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39338 https://www.cve.org/CVERecord?id=CVE-2024-39338 https://github.com/axios/axios/releases https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html https://bugzilla.redhat.com/show_bug.cgi?id=2304369 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 https://bugzilla.suse.com/show_bug.cgi?id=1229427#c1 --- Comment #1 from Camila Camargo de Matos <camila.matos@suse.com> --- openSUSE:Factory/python-nbdime currently requires the use of a vulnerable version of axios. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Nico Krapp <nico.krapp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nico.krapp@suse.com Assignee|python-maintainers@suse.com |nico.krapp@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Nico Krapp <nico.krapp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 https://bugzilla.suse.com/show_bug.cgi?id=1229427#c2 --- Comment #2 from Nico Krapp <nico.krapp@suse.com> --- Opened an upstream issue to bump the axios version used in nbdime. https://github.com/jupyter/nbdime/issues/759 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 https://bugzilla.suse.com/show_bug.cgi?id=1229427#c3 --- Comment #3 from Nico Krapp <nico.krapp@suse.com> --- Opened an upstream pull request to update the axios version. https://github.com/jupyter/nbdime/pull/760 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 https://bugzilla.suse.com/show_bug.cgi?id=1229427#c4 --- Comment #4 from Nico Krapp <nico.krapp@suse.com> --- Upstream told me that axios is very likely not part of the shipped releases but some kind of dev dependency and this is consistent with my attempt to find any axios source code in the package. I am still investigating this. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Andrea Mattiazzo <andrea.mattiazzo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Critical |Major CC| |andrea.mattiazzo@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 https://bugzilla.suse.com/show_bug.cgi?id=1229427#c5 --- Comment #5 from Nico Krapp <nico.krapp@suse.com> --- From my findings I can confirm that axios is only a dev dependency in python-nbdime and nbdime is not affected. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1229427 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|nico.krapp@suse.com |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com