CVE-2024-11168 - Vulnerability Details

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Python Software Foundation	Cpython
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
python3-0:3.6.8-69.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10779	2024-12-04T00:00:00Z
python3-0:3.6.8-69.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:10779	2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9
python3.9-0:3.9.21-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10983	2024-12-12T00:00:00Z
python3.9-0:3.9.21-1.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:10983	2024-12-12T00:00:00Z

References

Link	Providers
https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5
https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550
https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132
https://github.com/python/cpython/issues/103848
https://github.com/python/cpython/pull/103849
https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
https://nvd.nist.gov/vuln/detail/CVE-2024-11168
https://security.netapp.com/advisory/ntap-20250411-0004/
https://www.cve.org/CVERecord?id=CVE-2024-11168

History

Fri, 11 Apr 2025 22:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250411-0004/

Thu, 12 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9

Thu, 05 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:8
Vendors & Products		Redhat Redhat enterprise Linux

Tue, 03 Dec 2024 20:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132

Wed, 13 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Software Foundation Python Software Foundation cpython
Weaknesses		CWE-918
CPEs		cpe:2.3:a:python_software_foundation:cpython::::::::
Vendors & Products		Python Software Foundation Python Software Foundation cpython
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 13 Nov 2024 01:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1287
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11168 https://www.cve.org/CVERecord?id=CVE-2024-11168
Metrics	threat_severity `None`	cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}` threat_severity `Moderate`

Tue, 12 Nov 2024 21:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550

Tue, 12 Nov 2024 21:30:00 +0000

Type	Values Removed	Values Added
Description		The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Title		Improper validation of IPv6 and IPvFuture addresses
References		https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 https://github.com/python/cpython/issues/103848 https://github.com/python/cpython/pull/103849 https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N'}`

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2024-11-12T21:22:23.438Z

Updated: 2025-04-11T22:03:16.211Z

Reserved: 2024-11-12T21:13:15.779Z

Link: CVE-2024-11168

Vulnrichment

Updated: 2025-04-11T22:03:16.211Z

NVD

Status : Awaiting Analysis

Published: 2024-11-12T22:15:14.920

Modified: 2025-04-11T22:15:28.960

Link: CVE-2024-11168

Redhat

Severity : Moderate

Publid Date: 2024-11-12T21:22:23Z

Links: CVE-2024-11168 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11168", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-11-12T21:13:15.779Z", "datePublished": "2024-11-12T21:22:23.438Z", "dateUpdated": "2025-04-11T22:03:16.211Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.9.21", "status": "affected", "versionType": "python"}, {"version": "3.10.0", "lessThan": "3.10.16", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.4", "status": "affected", "versionType": "python"}, {"version": "3.12.0a1", "lessThan": "3.12.0b1", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "zer0yu (IPASSLab && ZGC Lab)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.<br>"}], "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser."}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-12-03T20:29:59.700Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/103849"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/103848"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper validation of IPv6 and IPvFuture addresses", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "affected": [{"vendor": "python_software_foundation", "product": "cpython", "cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.11.4", "versionType": "custom"}, {"version": "3.12.0a1", "status": "affected", "lessThan": "3.12.0b1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T15:09:42.748084Z", "id": "CVE-2024-11168", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T17:59:48.232Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-11T22:03:16.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-11T22:03:16.211Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-11168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-13T15:09:42.748084Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "vendor": "python_software_foundation", "product": "cpython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.11.4", "versionType": "custom"}, {"status": "affected", "version": "3.12.0a1", "lessThan": "3.12.0b1", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T15:13:53.557Z"}}], "cna": {"title": "Improper validation of IPv6 and IPvFuture addresses", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "zer0yu (IPASSLab && ZGC Lab)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.21", "versionType": "python"}, {"status": "affected", "version": "3.10.0", "lessThan": "3.10.16", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.4", "versionType": "python"}, {"status": "affected", "version": "3.12.0a1", "lessThan": "3.12.0b1", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/pull/103849", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/103848", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.", "supportingMedia": [{"type": "text/html", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.<br>", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-12-03T20:29:59.700Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11168", "state": "PUBLISHED", "dateUpdated": "2025-04-11T22:03:16.211Z", "dateReserved": "2024-11-12T21:13:15.779Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-11-12T21:22:23.438Z", "assignerShortName": "PSF"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser."}, {"lang": "es", "value": "Las funciones urllib.parse.urlsplit() y urlparse() validaron incorrectamente los hosts entre corchetes (`[]`), lo que permiti\u00f3 el uso de hosts que no eran IPv6 o IPvFuture. Este comportamiento no se ajustaba a RFC 3986 y potencialmente habilitaba SSRF si una URL es procesada por m\u00e1s de un analizador de URL."}], "id": "CVE-2024-11168", "lastModified": "2025-04-11T22:15:28.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2024-11-12T22:15:14.920", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/103848"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/103849"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10779", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10779", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}], "bugzilla": {"description": "python: Improper validation of IPv6 and IPvFuture addresses", "id": "2325776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325776"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-1287", "details": ["The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.", "A flaw was found in Python. The `urllib.parse.urlsplit()` and `urlparse()` functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser."], "name": "CVE-2024-11168", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-12T21:22:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11168\nhttps://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5\nhttps://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550\nhttps://github.com/python/cpython/issues/103848\nhttps://github.com/python/cpython/pull/103849\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object