CVE-2024-11168 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-11168

CVE-2024-11168

November 12, 2024

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ("[]"), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (9)

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

https://security.netapp.com/advisory/ntap-20250411-0004/

https://github.com/python/cpython/issues/103848

https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

https://github.com/python/cpython/pull/103849

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

EPSS

Base Score:

0.55

Products

Solutions

Resources

Company

Compare

Developer Tools