CVE-2024-11168

EPSS 0.33%
Published 12.11.2024 22:15:14
Last modified 11.04.2025 22:15:28
Source cna@python.org
Teams watchlist Login
Open Login

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorpython_software_foundation

≫

Product cpython

Default Statusunknown

Version < 3.11.4

Version 0

Status affected

Version < 3.12.0b1

Version 3.12.0a1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.33%	0.55

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cna@python.org	6.3	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

https://github.com/python/cpython/issues/103848

https://github.com/python/cpython/pull/103849

https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

https://security.netapp.com/advisory/ntap-20250411-0004/

https://nvd.nist.gov/vuln/detail/CVE-2024-11168

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11168

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11168

EUVD