Improper Validation in Python's URL Parsing Functions
CVE-2024-11168

6.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
12 November 2024

What is CVE-2024-11168?

A vulnerability exists in Python's urllib.parse.urlsplit() and urlparse() functions due to improper validation of bracketed hosts. This flaw allows hosts that are not conformant with IPv6 or IPvFuture specifications to be processed incorrectly. Such behavior can open the door to Server-Side Request Forgery (SSRF) attacks when URLs are parsed and processed by multiple URL handlers, deviating from the standards set forth in RFC 3986. It is essential for developers and organizations using affected Python versions to address this issue promptly to safeguard their applications.

Affected Version(s)

CPython 0 < 3.9.21

CPython 3.10.0 < 3.10.16

CPython 3.11.0 < 3.11.4

References

https://github.com/python/cpython/commit/29f348e232e82938...
patch
https://github.com/python/cpython/pull/103849
patch
https://github.com/python/cpython/issues/103848
issue-tracking

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.