A high-severity safety flaw has been disclosed within the Python URL parsing perform that could possibly be exploited to bypass area or protocol filtering strategies applied with a blocklist, finally leading to arbitrary file reads and command execution.
“urlparse has a parsing downside when your complete URL begins with clean characters,” the CERT Coordination Middle (CERT/CC) mentioned in a Friday advisory. “This downside impacts each the parsing of hostname and scheme, and finally causes any blocklisting strategies to fail.”
The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS rating of seven.5. Safety researcher Yebo Cao has been credited with discovering and reporting the problem in August 2022. It has been addressed within the following variations –
- >= 3.12
- 3.11.x >= 3.11.4
- 3.10.x >= 3.10.12
- 3.9.x >= 3.9.17
- 3.8.x >= 3.8.17, and
- 3.7.x >= 3.7.17
urllib.parse is a broadly used parsing perform that makes it attainable to interrupt down URLs to its constituents, or alternatively, mix the elements to a URL string.
CVE-2023-24329 arises on account of an absence of enter validation, thereby resulting in a situation the place it is attainable to get round blocklisting strategies by supplying a URL that begins with clean characters (e.g., ” https://youtube[.]com”).
“Though blocklist is taken into account an inferior selection, there are lots of situations the place blocklist continues to be wanted,” Cao mentioned. “This vulnerability would assist an attacker to bypass the protections set by the developer for scheme and host. This vulnerability might be anticipated to assist SSRF and RCE in a variety of situations.”