Main Vulnerability Database SB2024111507

SB2024111507 - Improper IP address validation in Python

Published: November 15, 2024

Security Bulletin ID SB2024111507

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2024-11168)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to insufficient validation of bracketed hosts (e.g. []) within the urllib.parse.urlsplit() and urlparse() functions allowing hosts that weren't IPv6 or IPvFuture. A remote attacker can pass specially crafted IP address to the application to bypass implemented IP-based security checks or perform SSRF attacks.

Remediation

Install update from vendor's website.

References

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5
https://github.com/python/cpython/pull/103849
https://github.com/python/cpython/issues/103848
https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550