7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
41.7%
An issue in the urllib.parse component of Python before 3.11.4 allows
attackers to bypass blocklisting methods by supplying a URL that starts
with blank characters.
Author | Note |
---|---|
leosilva | there are some discussions around that issue that raises doubts about if it was properly fixed or not. till further investigation it’ll be marked as needed again. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python2.7 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python2.7 | < 2.7.6-8ubuntu0.6+esm15 | UNKNOWN |
ubuntu | 16.04 | noarch | python2.7 | < 2.7.12-1ubuntu0~16.04.18+esm5 | UNKNOWN |
ubuntu | 22.04 | noarch | python3.10 | < 3.10.6-1~22.04.2ubuntu1.1 | UNKNOWN |
ubuntu | 22.10 | noarch | python3.10 | < 3.10.7-1ubuntu0.4 | UNKNOWN |
ubuntu | 22.04 | noarch | python3.11 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python3.4 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python3.5 | < any | UNKNOWN |
github.com/python/cpython/pull/99421
github.com/python/cpython/pull/99446 (backport for 3.11 branch)
launchpad.net/bugs/cve/CVE-2023-24329
nvd.nist.gov/vuln/detail/CVE-2023-24329
pointernull.com/security/python-url-parse-problem.html
security-tracker.debian.org/tracker/CVE-2023-24329
ubuntu.com/security/notices/USN-5888-1
ubuntu.com/security/notices/USN-5960-1
ubuntu.com/security/notices/USN-6139-1
www.cve.org/CVERecord?id=CVE-2023-24329