CVE-2024-11168 | THREATINT

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

PUBLISHED Reserved 2024-11-12 | Published 2024-11-12 | Updated 2025-04-11 | Assigner PSF

MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N

Product status

Default status

unaffected

Any version before 3.9.21

affected

3.10.0 before 3.10.16

affected

3.11.0 before 3.11.4

affected

3.12.0a1 before 3.12.0b1

affected

Credits

zer0yu (IPASSLab && ZGC Lab) reporter

References

github.com/...ommit/29f348e232e82938ba2165843c448c2b291504c5 patch

github.com/python/cpython/pull/103849 patch

github.com/python/cpython/issues/103848 issue-tracking

mail.python.org/.../thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/ vendor-advisory

github.com/...ommit/b2171a2fd41416cf68afd67460578631d755a550 patch

github.com/...ommit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e patch

github.com/...ommit/ddca2953191c67a12b1f19d6bca41016c6ae7132 patch

cve.org (CVE-2024-11168)

nvd.nist.gov (CVE-2024-11168)

Download JSON

help @ threatint.eu