{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-11168", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-11-12T21:13:15.779Z", "datePublished": "2024-11-12T21:22:23.438Z", "dateUpdated": "2025-11-03T21:51:45.721Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.9.21", "status": "affected", "versionType": "python"}, {"version": "3.10.0", "lessThan": "3.10.16", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.4", "status": "affected", "versionType": "python"}, {"version": "3.12.0a1", "lessThan": "3.12.0b1", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "zer0yu (IPASSLab && ZGC Lab)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.<br>"}], "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser."}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-12-03T20:29:59.700Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/103849"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/103848"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper validation of IPv6 and IPvFuture addresses", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "affected": [{"vendor": "python_software_foundation", "product": "cpython", "cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.11.4", "versionType": "custom"}, {"version": "3.12.0a1", "status": "affected", "lessThan": "3.12.0b1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T15:09:42.748084Z", "id": "CVE-2024-11168", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T17:59:48.232Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:51:45.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:51:45.721Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-11168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-13T15:09:42.748084Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "vendor": "python_software_foundation", "product": "cpython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.11.4", "versionType": "custom"}, {"status": "affected", "version": "3.12.0a1", "lessThan": "3.12.0b1", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T15:13:53.557Z"}}], "cna": {"title": "Improper validation of IPv6 and IPvFuture addresses", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "zer0yu (IPASSLab && ZGC Lab)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.9.21", "versionType": "python"}, {"status": "affected", "version": "3.10.0", "lessThan": "3.10.16", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.4", "versionType": "python"}, {"status": "affected", "version": "3.12.0a1", "lessThan": "3.12.0b1", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/pull/103849", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/103848", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.", "supportingMedia": [{"type": "text/html", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.<br>", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-12-03T20:29:59.700Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11168", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:51:45.721Z", "dateReserved": "2024-11-12T21:13:15.779Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-11-12T21:22:23.438Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser."}, {"lang": "es", "value": "Las funciones urllib.parse.urlsplit() y urlparse() validaron incorrectamente los hosts entre corchetes (`[]`), lo que permiti\u00f3 el uso de hosts que no eran IPv6 o IPvFuture. Este comportamiento no se ajustaba a RFC 3986 y potencialmente habilitaba SSRF si una URL es procesada por m\u00e1s de un analizador de URL."}], "id": "CVE-2024-11168", "lastModified": "2025-11-03T22:16:37.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2024-11-12T22:15:14.920", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/103848"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/103849"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250411-0004/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10779", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10779", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python3-0:3.6.8-69.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10983", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python3.9-0:3.9.21-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}], "bugzilla": {"description": "python: Improper validation of IPv6 and IPvFuture addresses", "id": "2325776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325776"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-1287", "details": ["The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.", "A flaw was found in Python. The `urllib.parse.urlsplit()` and `urlparse()` functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser."], "name": "CVE-2024-11168", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-11-12T21:22:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-11168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11168\nhttps://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5\nhttps://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550\nhttps://github.com/python/cpython/issues/103848\nhttps://github.com/python/cpython/pull/103849\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/"], "statement": "Within regulated environments, a combination of the following controls act as a significant barrier to successful exploitation of a CWE-1287: Improper Validation of Specified Type of Input vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform's strict role-based access control (RBAC), namespace isolation, and pod-level security constraints limit the exposure and potential impact of malformed or incorrectly typed input. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention, which helps detect of input-based manipulation attempts. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks. Additionally, process isolation ensures that compromised components are contained within the originating process, preventing it from affecting other processes or the system as a whole.", "threat_severity": "Moderate"}

{}