.. _urlparse-scheme: urlparse does not correctly handle schemes ========================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. Fix bug in ``urlparse()`` of ``urllib.parse`` that causes URL schemes that begin with a digit, a plus sign, or a minus sign to be parsed incorrectly. Dates: * Disclosure date: **2022-11-12** (Python issue gh-99418 reported) Fixed In -------- * Python **3.11.1** (2022-12-06) fixed by `commit 72d356e (branch 3.11) `_ (2022-11-13) Vulnerable Versions ------------------- * Python **3.10** (need commit) * Python **3.7** (need commit) * Python **3.8** (need commit) * Python **3.9** (need commit) Python issue ------------ [CVE-2023-24329] urlparse does not correctly handle schemes that begin with ASCII digits, '+', '-', and '.' characters. * Python issue: `gh-99418 `_ * Creation date: 2022-11-12 * Reporter: kenballus CVE-2023-24329 -------------- An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. * CVE ID: `CVE-2023-24329 `_ * Published: 2023-02-17 Timeline -------- Timeline using the disclosure date **2022-11-12** as reference: * 2022-11-12: `Python issue gh-99418 `_ reported by kenballus * 2022-11-13 (**+1 days**): `commit 439b9cf (branch 3.12) `_ * 2022-11-13 (**+1 days**): `commit 72d356e (branch 3.11) `_ * 2022-12-06 (**+24 days**): Python 3.11.1 released * 2023-02-17 (**+97 days**): CVE-2023-24329 published Links ----- * https://pointernull.com/security/python-url-parse-problem.html