Vulnerability Description
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c
- https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89
- https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a55
- https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae713
- https://github.com/python/cpython/issues/103848
- https://github.com/python/cpython/pull/103849
- https://mail.python.org/archives/list/[email protected]/thread/XPWB6X
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://security.netapp.com/advisory/ntap-20250411-0004/
FAQ
What is CVE-2024-11168?
CVE-2024-11168 is a vulnerability with a CVSS score of 3.7 (LOW). The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potent...
How severe is CVE-2024-11168?
CVE-2024-11168 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-11168?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.