CVE-2024-11168 Information

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]) allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Reference

https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 https://github.com/python/cpython/pull/103849 https://github.com/python/cpython/issues/103848 https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/ https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550 The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]) allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.