SCA: security update for webob (GHSA-fh3h-vg37-cc95)

medium Tenable Cloud Security Plugin ID 442641

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP
Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to
the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab,
carriage return, and newline characters before parsing, so a redirect target containing such characters
can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This
bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences
the redirect location to send users to an arbitrary external site instead of the intended one. This
vulnerability is fixed in 1.8.10. (CVE-2026-44889)

Solution

Update the webob library and its related packages to version 1.8.10 or later.

See Also

https://github.com/advisories/GHSA-fh3h-vg37-cc95

Plugin Details

Severity: Medium

ID: 442641

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 6/4/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.52

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-44889

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/4/2026

Vulnerability Publication Date: 6/4/2026

Reference Information

CVE: CVE-2026-44889

cwe: CWE-601