CVE-2019-1020006

Root

Cause Invenio-App versions before 1.1.1 are vulnerable to host header injection because the APP_ALLOWED_HOSTS configuration variable does not fully prevent the attack. The issue arises because Werkzeug's trusted host feature, which APP_ALLOWED_HOSTS relies on, does not check the whitelist of allowed hosts in the routing system used by url_for. Consequently, when a view uses url_for to generate an external URL without evaluating request.host, the resulting URL can include an attacker-controlled host header [1][2].

Exploitation

Conditions For an attack to succeed, three conditions must be met: (1) the web server must be configured to route all requests to the application; (2) the application relies solely on APP_ALLOWED_HOSTS to whitelist allowed host headers; and (3) Flask's request.host is not evaluated during request handling. A simple view that returns a URL using url_for(..., _external=True) or renders a Jinja template without checking request.host is sufficient to trigger the vulnerability [1][2].

Impact

An attacker can perform host header injection, which may lead to cache poisoning, password reset poisoning, or other attacks that depend on manipulating the Host header. The vulnerability does not require authentication, and it can be exploited remotely if the web server passes all requests to the application [1][2].

Mitigation

The vulnerability is patched in Invenio-App versions 1.0.6 and 1.1.1 [1][2]. As a workaround, administrators should configure their web server (e.g., Nginx) with a default virtual host that acts as a catch-all, and an application virtual host that only responds to a whitelist of host headers. This ensures that requests with an invalid Host header are not forwarded to the application [1][2].