{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"### Impact\n\nWhen WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's `urllib.parse`, and joining it to the base URL. `urlsplit` (called internally by `urljoin`) however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request.\n\nIn a previous advisory https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 an attempt to fix this was made by forcing the replacement of `//` with `/%2f`, however this did not take into account that since Python 3.10 `urlsplit` internally strips ASCII tab, carriage return, and newline characters from the string, so `/\\t/attacker.com` gets turned into `//attacker.com` and the attacker is able to bypass the changes introduced in that previous advisory, thereby bringing back the problem that was attempted to be fixed.\n\n```\n>>> parse.urlparse(\"//attacker.com/some/path\")\nParseResult(scheme='', netloc='attacker.com', path='/some/path', params='', query='', fragment='')\n```\n\nWebOb uses `urljoin` to take the request URI and join the redirect location to it, so assuming the request URI is `https://example.org/` and the URL to redirect to is `/\\t/attacker.com/some/path/`:\n\n```\n>>> parse.urljoin(\"https://example.org/\", \"/\\t/attacker.com/some/path/\")\n'https://attacker.com/some/path/'\n```\n\nWhich redirects from `example.org` where we want the user to stay to `attacker.com`.\n\n### Patches\n\nThis issue has been fixed in WebOb 1.8.10.\n\n### Workarounds\n\nAny use of the `Response` class that includes a `location` can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to, or to validate that the redirect target starts with a scheme (e.g. `http://` or `https://`) before assigning to `Response.location`.\n\n### References\n\n- https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3\n- CVE-2024-42353\n\n### Thanks\n\n- Caleb Brown of Google", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44889" }, { "summary":"CVE-2026-44889 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-44889.json" }, { "summary":"openEuler-SA-2026-2679", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2679" }, { "summary":"CVE-2026-44889", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-44889&packageName=python-webob" } ], "title":"openEuler cve CVE-2026-44889", "tracking":{ "initial_release_date":"2026-06-18T16:39:00+08:00", "revision_history":[ { "date":"2026-06-18T16:39:00+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-06-18T16:39:00+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-06-18T16:39:00+08:00", "id":"CVE-2026-44889", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"openEuler-24.03-LTS-SP3", "name":"openEuler-24.03-LTS-SP3" }, "name":"openEuler-24.03-LTS-SP3", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"python-webob-1.8.7-4.oe2203sp4.src.rpm", "name":"python-webob-1.8.7-4.oe2203sp4.src.rpm" }, "name":"python-webob-1.8.7-4.oe2203sp4.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python-webob-1.8.7-5.oe2403sp1.src.rpm", "name":"python-webob-1.8.7-5.oe2403sp1.src.rpm" }, "name":"python-webob-1.8.7-5.oe2403sp1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python-webob-1.8.7-5.oe2403sp3.src.rpm", "name":"python-webob-1.8.7-5.oe2403sp3.src.rpm" }, "name":"python-webob-1.8.7-5.oe2403sp3.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-webob-1.8.2-5.oe2003sp4.src.rpm", "name":"python-webob-1.8.2-5.oe2003sp4.src.rpm" }, "name":"python-webob-1.8.2-5.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"python3-webob-1.8.7-4.oe2203sp4.noarch.rpm", "name":"python3-webob-1.8.7-4.oe2203sp4.noarch.rpm" }, "name":"python3-webob-1.8.7-4.oe2203sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python3-webob-1.8.7-5.oe2403sp1.noarch.rpm", "name":"python3-webob-1.8.7-5.oe2403sp1.noarch.rpm" }, "name":"python3-webob-1.8.7-5.oe2403sp1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python3-webob-1.8.7-5.oe2403sp3.noarch.rpm", "name":"python3-webob-1.8.7-5.oe2403sp3.noarch.rpm" }, "name":"python3-webob-1.8.7-5.oe2403sp3.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python2-webob-1.8.2-5.oe2003sp4.noarch.rpm", "name":"python2-webob-1.8.2-5.oe2003sp4.noarch.rpm" }, "name":"python2-webob-1.8.2-5.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-webob-1.8.2-5.oe2003sp4.noarch.rpm", "name":"python3-webob-1.8.2-5.oe2003sp4.noarch.rpm" }, "name":"python3-webob-1.8.2-5.oe2003sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"python-webob-1.8.7-4.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:python-webob-1.8.7-4.oe2203sp4.src", "name":"python-webob-1.8.7-4.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python-webob-1.8.7-5.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python-webob-1.8.7-5.oe2403sp1.src", "name":"python-webob-1.8.7-5.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python-webob-1.8.7-5.oe2403sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python-webob-1.8.7-5.oe2403sp3.src", "name":"python-webob-1.8.7-5.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-webob-1.8.2-5.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-webob-1.8.2-5.oe2003sp4.src", "name":"python-webob-1.8.2-5.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"python3-webob-1.8.7-4.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:python3-webob-1.8.7-4.oe2203sp4.noarch", "name":"python3-webob-1.8.7-4.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python3-webob-1.8.7-5.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python3-webob-1.8.7-5.oe2403sp1.noarch", "name":"python3-webob-1.8.7-5.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python3-webob-1.8.7-5.oe2403sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python3-webob-1.8.7-5.oe2403sp3.noarch", "name":"python3-webob-1.8.7-5.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python2-webob-1.8.2-5.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python2-webob-1.8.2-5.oe2003sp4.noarch", "name":"python2-webob-1.8.2-5.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-webob-1.8.2-5.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-webob-1.8.2-5.oe2003sp4.noarch", "name":"python3-webob-1.8.2-5.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-44889", "notes":[ { "text":"### Impact\n\nWhen WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's `urllib.parse`, and joining it to the base URL. `urlsplit` (called internally by `urljoin`) however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request.\n\nIn a previous advisory https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 an attempt to fix this was made by forcing the replacement of `//` with `/%2f`, however this did not take into account that since Python 3.10 `urlsplit` internally strips ASCII tab, carriage return, and newline characters from the string, so `/\\t/attacker.com` gets turned into `//attacker.com` and the attacker is able to bypass the changes introduced in that previous advisory, thereby bringing back the problem that was attempted to be fixed.\n\n```\n>>> parse.urlparse(\"//attacker.com/some/path\")\nParseResult(scheme='', netloc='attacker.com', path='/some/path', params='', query='', fragment='')\n```\n\nWebOb uses `urljoin` to take the request URI and join the redirect location to it, so assuming the request URI is `https://example.org/` and the URL to redirect to is `/\\t/attacker.com/some/path/`:\n\n```\n>>> parse.urljoin(\"https://example.org/\", \"/\\t/attacker.com/some/path/\")\n'https://attacker.com/some/path/'\n```\n\nWhich redirects from `example.org` where we want the user to stay to `attacker.com`.\n\n### Patches\n\nThis issue has been fixed in WebOb 1.8.10.\n\n### Workarounds\n\nAny use of the `Response` class that includes a `location` can be rewritten to make sure to always pass a full URI that includes the hostname to redirect the user to, or to validate that the redirect target starts with a scheme (e.g. `http://` or `https://`) before assigning to `Response.location`.\n\n### References\n\n- https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3\n- CVE-2024-42353\n\n### Thanks\n\n- Caleb Brown of Google", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:python-webob-1.8.7-4.oe2203sp4.src", "openEuler-24.03-LTS-SP1:python-webob-1.8.7-5.oe2403sp1.src", "openEuler-24.03-LTS-SP3:python-webob-1.8.7-5.oe2403sp3.src", "openEuler-20.03-LTS-SP4:python-webob-1.8.2-5.oe2003sp4.src", "openEuler-22.03-LTS-SP4:python3-webob-1.8.7-4.oe2203sp4.noarch", "openEuler-24.03-LTS-SP1:python3-webob-1.8.7-5.oe2403sp1.noarch", "openEuler-24.03-LTS-SP3:python3-webob-1.8.7-5.oe2403sp3.noarch", "openEuler-20.03-LTS-SP4:python2-webob-1.8.2-5.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-webob-1.8.2-5.oe2003sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:python-webob-1.8.7-4.oe2203sp4.src", "openEuler-24.03-LTS-SP1:python-webob-1.8.7-5.oe2403sp1.src", "openEuler-24.03-LTS-SP3:python-webob-1.8.7-5.oe2403sp3.src", "openEuler-20.03-LTS-SP4:python-webob-1.8.2-5.oe2003sp4.src", "openEuler-22.03-LTS-SP4:python3-webob-1.8.7-4.oe2203sp4.noarch", "openEuler-24.03-LTS-SP1:python3-webob-1.8.7-5.oe2403sp1.noarch", "openEuler-24.03-LTS-SP3:python3-webob-1.8.7-5.oe2403sp3.noarch", "openEuler-20.03-LTS-SP4:python2-webob-1.8.2-5.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-webob-1.8.2-5.oe2003sp4.noarch" ], "details":"python-webob security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2679" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:python-webob-1.8.7-4.oe2203sp4.src", "openEuler-24.03-LTS-SP1:python-webob-1.8.7-5.oe2403sp1.src", "openEuler-24.03-LTS-SP3:python-webob-1.8.7-5.oe2403sp3.src", "openEuler-20.03-LTS-SP4:python-webob-1.8.2-5.oe2003sp4.src", "openEuler-22.03-LTS-SP4:python3-webob-1.8.7-4.oe2203sp4.noarch", "openEuler-24.03-LTS-SP1:python3-webob-1.8.7-5.oe2403sp1.noarch", "openEuler-24.03-LTS-SP3:python3-webob-1.8.7-5.oe2403sp3.noarch", "openEuler-20.03-LTS-SP4:python2-webob-1.8.2-5.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-webob-1.8.2-5.oe2003sp4.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-44889" } ] }