CVE-2024-11168

EPSS 0.33%
Veröffentlicht 12.11.2024 22:15:14
Zuletzt bearbeitet 11.04.2025 22:15:28
Quelle cna@python.org
Teams Watchlist Login
Unerledigt Login

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerpython_software_foundation

≫

Produkt cpython

Default Statusunknown

Version < 3.11.4

Version 0

Status affected

Version < 3.12.0b1

Version 3.12.0a1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.55

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@python.org	6.3	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

https://github.com/python/cpython/issues/103848

https://github.com/python/cpython/pull/103849

https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

https://security.netapp.com/advisory/ntap-20250411-0004/

https://nvd.nist.gov/vuln/detail/CVE-2024-11168

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11168

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11168

EUVD