Miggo Logo
Miggo Vulnerability Database
CVE-2024-27291

CVE-2024-27291:
Docassemble open redirect

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-27291
GHSA ID
GHSA-7wxf-r2qv-9xwr
EPSS Score
0.37341%
CWE
CWE-601
Published
2/29/2024
Updated
3/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
docassemble.webapppip< 1.4.971.4.97

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an open redirect caused by improper URL validation. The commit diff shows critical changes to the make_safe_url function in server.py, where the patched version adds: 1) A list of allowed endpoint checks, 2) Path normalization to prevent relative paths, and 3) Strict slash prefix requirements. These changes directly address open redirect vulnerabilities by ensuring user-supplied URLs can't be crafted to point to external domains.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* to *r**t* * URL t**t **ts *s *n op*n r**ir**t. ### P*t***s T** vuln*r**ility **s ***n p*t**** in v*rsion *.*.** o* t** m*st*r *r*n**. T** *o*k*r im*** on *o*k*r.io **s ***n p*t****. ### Work*roun*s I* up*r**in* is not poss

Reasoning

T** vuln*r**ility is *n op*n r**ir**t **us** *y improp*r URL v*li**tion. T** *ommit *i** s*ows *riti**l ***n**s to t** m*k*_s***_url *un*tion in s*rv*r.py, w**r* t** p*t**** v*rsion ***s: *) * list o* *llow** *n*point ****ks, *) P*t* norm*liz*tion to