CVE-2024-11168
Public on 2024-11-12
Modified on 2025-02-18
Description
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python | 2025-03-25 | ALAS2-2025-2797 | Fixed |
| Amazon Linux 1 | python27 | No Fix Planned | ||
| Amazon Linux 2 - Core | python3 | 2025-02-25 | ALAS2-2025-2754 | Fixed |
| Amazon Linux 2023 | python3.11 | 2024-01-22 | ALAS2023-2024-500 | Fixed |
| Amazon Linux 2023 | python3.9 | 2025-03-26 | ALAS2023-2025-900 | Fixed |
| Amazon Linux 1 | python38 | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |