SUSE-SU-2026:22360-1

Vulnerability from csaf_suse - Published: 2026-06-24 21:41 - Updated: 2026-06-24 21:41
Summary
Security update for python-starlette
Severity
Important
Notes
Title of the patch: Security update for python-starlette
Description of the patch: This update for python-starlette fixes the following issues - CVE-2026-48817: arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` (bsc#1268389). - CVE-2026-54282: request path that lacks a leading forward slash can lead to request.url.hostname manipulation (bsc#1268520). - CVE-2026-54283: urlencoded request body with an oversized data can lead to a denial of service (bsc#1268517).
Patchnames: SUSE-SLES-16.0-1066
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Threats
Impact moderate
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Threats
Impact low
Affected products
Product Identifier Version Remediation
Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch
Vendor Fix
Threats
Impact important

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-starlette",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-starlette fixes the following issues\n\n- CVE-2026-48817: arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` (bsc#1268389).\n- CVE-2026-54282: request path that lacks a leading forward slash can lead to request.url.hostname manipulation\n  (bsc#1268520).\n- CVE-2026-54283: urlencoded request body with an oversized data can lead to a denial of service (bsc#1268517).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLES-16.0-1066",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22360-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:22360-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622360-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:22360-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-July/047779.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1268389",
        "url": "https://bugzilla.suse.com/1268389"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1268517",
        "url": "https://bugzilla.suse.com/1268517"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1268520",
        "url": "https://bugzilla.suse.com/1268520"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-48817 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-48817/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54282 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54282/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54283 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54283/"
      }
    ],
    "title": "Security update for python-starlette",
    "tracking": {
      "current_release_date": "2026-06-24T21:41:06Z",
      "generator": {
        "date": "2026-06-24T21:41:06Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:22360-1",
      "initial_release_date": "2026-06-24T21:41:06Z",
      "revision_history": [
        {
          "date": "2026-06-24T21:41:06Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-starlette-0.41.3-160000.4.1.noarch",
                "product": {
                  "name": "python313-starlette-0.41.3-160000.4.1.noarch",
                  "product_id": "python313-starlette-0.41.3-160000.4.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server 16.0",
                  "product_id": "SUSE Linux Enterprise Server 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.41.3-160000.4.1.noarch as component of SUSE Linux Enterprise Server 16.0",
          "product_id": "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
        },
        "product_reference": "python313-starlette-0.41.3-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-starlette-0.41.3-160000.4.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
          "product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
        },
        "product_reference": "python313-starlette-0.41.3-160000.4.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-48817",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-48817"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-48817",
          "url": "https://www.suse.com/security/cve/CVE-2026-48817"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268389 for CVE-2026-48817",
          "url": "https://bugzilla.suse.com/1268389"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-24T21:41:06Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-48817"
    },
    {
      "cve": "CVE-2026-54282",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54282"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54282",
          "url": "https://www.suse.com/security/cve/CVE-2026-54282"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268520 for CVE-2026-54282",
          "url": "https://bugzilla.suse.com/1268520"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-24T21:41:06Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-54282"
    },
    {
      "cve": "CVE-2026-54283",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54283"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
          "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54283",
          "url": "https://www.suse.com/security/cve/CVE-2026-54283"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268517 for CVE-2026-54283",
          "url": "https://bugzilla.suse.com/1268517"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 16.0:python313-starlette-0.41.3-160000.4.1.noarch",
            "SUSE Linux Enterprise Server for SAP applications 16.0:python313-starlette-0.41.3-160000.4.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-24T21:41:06Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-54283"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…