Overly permissive cross-domain whitelist in Python Engine.IO

#VU19229 Overly permissive cross-domain whitelist in Python Engine.IO

Published: 2019-07-17 | Updated: 2020-01-30

Vulnerability identifier: #VU19229

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13611

CWE-ID: CWE-942

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python Engine.IO
Web applications / Other software

Vendor: Miguel Grinberg

Description

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and perform Cross-Site WebSocket Hijacking (CSWSH) attacks against the vulnerable application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python Engine.IO: 0.1.0 - 3.8.2

External links
http://github.com/miguelgrinberg/python-engineio/issues/128

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in Python Engine.IO server