CVE-2024-11168

LOW

urllib.parse - SSRF

Title source: llm

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

References (9)

Core 9

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250411-0004/

Patch patch

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5

View Patch ZIP pw:eip

Issue Tracking patch

https://github.com/python/cpython/pull/103849

Issue Tracking issue-tracking

https://github.com/python/cpython/issues/103848

Various Sources vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/

Patch patch

https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

View Patch ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.0055

EPSS Percentile 68.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-918

Status published

Products (4)

Python Software Foundation/CPython < 3.9.21

Python Software Foundation/CPython 3.10.0 - 3.10.16

Python Software Foundation/CPython 3.11.0 - 3.11.4

Python Software Foundation/CPython 3.12.0a1 - 3.12.0b1

Published Nov 12, 2024

Tracked Since Feb 18, 2026