urlparse does not correctly handle schemes¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Fix bug in urlparse()
of urllib.parse
that causes URL schemes that
begin with a digit, a plus sign, or a minus sign to be parsed incorrectly.
Dates:
- Disclosure date: 2022-11-12 (Python issue gh-99418 reported)
Fixed In¶
- Python 3.11.1 (2022-12-06) fixed by commit 72d356e (branch 3.11) (2022-11-13)
Vulnerable Versions¶
- Python 3.10 (need commit)
- Python 3.7 (need commit)
- Python 3.8 (need commit)
- Python 3.9 (need commit)
Python issue¶
[CVE-2023-24329] urlparse does not correctly handle schemes that begin with ASCII digits, ‘+’, ‘-’, and ‘.’ characters.
- Python issue: gh-99418
- Creation date: 2022-11-12
- Reporter: kenballus
CVE-2023-24329¶
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
- CVE ID: CVE-2023-24329
- Published: 2023-02-17
Timeline¶
Timeline using the disclosure date 2022-11-12 as reference:
- 2022-11-12: Python issue gh-99418 reported by kenballus
- 2022-11-13 (+1 days): commit 439b9cf (branch 3.12)
- 2022-11-13 (+1 days): commit 72d356e (branch 3.11)
- 2022-12-06 (+24 days): Python 3.11.1 released
- 2023-02-17 (+97 days): CVE-2023-24329 published