CVE-2024-11168

Published: Nov 12, 2024Modified: Nov 3, 2025

6.3

Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (9)

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

Source: cna@python.org

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

Source: cna@python.org

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

Source: cna@python.org

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

Source: cna@python.org

https://github.com/python/cpython/issues/103848

Source: cna@python.org

https://github.com/python/cpython/pull/103849

Source: cna@python.org

https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

Source: cna@python.org

https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250411-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.