CVE-2024-10081: Python Auth Allowlist Path Endswith Bypass
Anonymous-access allowlist gated by `endswith()` on a raw HTTP path is vulnerable to suffix spoofing (CVE-2024-10081, CWE-288 / CWE-420): an attacker can craft a URL whose raw path ends with one of the allowlisted tokens (e.g. '/Authentication') while the request is dispatched by the router to a different, privileged endpoint, yielding an authentication bypa
greprules fetch cve-2024-10081-python-auth-allowlist-path-endswith-bypass --engine opengrepDescription
Anonymous-access allowlist gated by `endswith()` on a raw HTTP path is vulnerable to suffix spoofing (CVE-2024-10081, CWE-288 / CWE-420): an attacker can craft a URL whose raw path ends with one of the allowlisted tokens (e.g. '/Authentication') while the request is dispatched by the router to a different, privileged endpoint, yielding an authentication bypa
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.