Security-announce

Download

security-announce@python.org

November 2024

1 participants
1 discussions

[CVE-2024-11168] Improper validation of IPv6 and IPvFuture addresses
by Seth Larson Nov. 12, 2024

Nov. 12, 2024

There is a MEDIUM severity vulnerability affecting CPython. The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/cverecord?id=CVE-2024-11168 * https://github.com/python/cpython/pull/103849

1 0