CVE-2024-22205: 
Python vulnerability analysis and mitigation

Whoogle Search, a self-hosted metasearch engine, contains a Server-Side Request Forgery (SSRF) vulnerability in versions 0.8.3 and prior. The vulnerability exists in the window endpoint where user-supplied input from the location variable is not properly sanitized before being passed to the send method, which sends a GET request (NVD, GitHub Advisory).

The vulnerability is tracked as CVE-2024-22205 and has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST and 9.1 (CRITICAL) by GitHub. The issue stems from insufficient validation of the location variable in the window endpoint, which allows the crafting of GET requests that can be executed by the server. The vulnerability is present in lines 339-343 of request.py where the unsanitized input is passed to the send method (NVD).

This vulnerability allows attackers to craft GET requests to internal and external resources on behalf of the server. An attacker could potentially access resources on the internal network that the server has access to, even if these resources are not accessible from the internet (GitHub Advisory).

The vulnerability has been fixed in version 0.8.4 of Whoogle Search. The fix includes validation of URLs in the element and window endpoints to ensure that only valid domains are processed. Users should upgrade to version 0.8.4 or later to mitigate this vulnerability (GitHub Patch).