CVE-2024-11168

EPSS 0.55%
Veröffentlicht 12.11.2024 22:15:14
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle cna@python.org
CVE-Watchlists
Login
Unerledigt
Login

Improper validation of IPv6 and IPvFuture addresses

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerpython_software_foundation

≫

Produkt cpython

Default Statusunknown

Version 0

Version < 3.11.4

Status affected

Version 3.12.0a1

Version < 3.12.0b1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.55%	0.681

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@python.org	6.3	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

https://github.com/python/cpython/issues/103848

https://github.com/python/cpython/pull/103849

https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

https://security.netapp.com/advisory/ntap-20250411-0004/

https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

https://nvd.nist.gov/vuln/detail/CVE-2024-11168

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11168

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11168

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-11168