CVE-2024-11168
Published: November 13, 2024Last modified: July 22, 2025
Description
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.7 |
| Attack Vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
Notes
According to python changelogs the fix for this issue is shipped with python 3.11.4 and 3.12.0. So only 3.11.3 in 23-lts has ever been affected by this.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.4-r0) |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.4-r0) |
References
- https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5
- https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e
- https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550
- https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132
- https://github.com/python/cpython/issues/103848
- https://github.com/python/cpython/pull/103849
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://mail.python.org/archives/list/[email protected]/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
- https://security.netapp.com/advisory/ntap-20250411-0004/