Miggo Logo
Miggo Vulnerability Database
CVE-2018-14505

CVE-2018-14505: Mitmweb in mitmproxy allows DNS Rebinding attacks

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-14505
GHSA ID
GHSA-6m53-c78q-7qmg
EPSS Score
0.55936%
CWE
CWE-20
Published
7/31/2018
Updated
10/1/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mitmproxypip< 4.0.44.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper host validation in mitmweb's web server setup. The pre-patch version in app.py's Application class registered handlers without host restrictions, enabling access via any domain name. The fix added DNS rebinding protection by: 1) Introducing a DnsRebind handler that blocks non-IP access, and 2) Restricting handler registration to only match IP/localhost patterns via regex. The Application.init function's original handler configuration was the root cause as it didn't validate request origins, making CWE-20 (Input Validation) applicable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mitmw** in mitmproxy ***or* v*.*.* *llows *NS R**in*in* *tt**ks, r*l*t** to tools/w**/*pp.py.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ost v*li**tion in mitmw**'s w** s*rv*r s*tup. T** pr*-p*t** v*rsion in *pp.py's *ppli**tion *l*ss r**ist*r** **n*l*rs wit*out *ost r*stri*tions, *n**lin* ****ss vi* *ny *om*in n*m*. T** *ix ***** *NS r**in*in*