A significant-severity security flaw has been disclosed in the Python URL parsing functionality that could be exploited to bypass domain or protocol filtering solutions executed with a blocklist, eventually resulting in arbitrary file reads and command execution.
“urlparse has a parsing challenge when the full URL commences with blank characters,” the CERT Coordination Centre (CERT/CC) claimed in a Friday advisory. “This difficulty has an effect on the two the parsing of hostname and scheme, and finally results in any blocklisting techniques to are unsuccessful.”
The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS rating of 7.5. Security researcher Yebo Cao has been credited with getting and reporting the issue in August 2022. It has been resolved in the following versions –
- >= 3.12
- 3.11.x >= 3.11.4
- 3.10.x >= 3.10.12
- 3.9.x >= 3.9.17
- 3.8.x >= 3.8.17, and
- 3.7.x >= 3.7.17
urllib.parse is a widely employed parsing operate that will make it possible to split down URLs to its constituents, or alternatively, incorporate the factors to a URL string.
CVE-2023-24329 occurs as a consequence of a deficiency of enter validation, therefore top to a circumstance exactly where it truly is possible to get close to blocklisting approaches by supplying a URL that commences with blank people (e.g., ” https://youtube[.]com”).
“While blocklist is deemed an inferior option, there are quite a few scenarios in which blocklist is however necessary,” Cao stated. “This vulnerability would aid an attacker to bypass the protections established by the developer for scheme and host. This vulnerability can be envisioned to aid SSRF and RCE in a broad variety of scenarios.”
Uncovered this report fascinating? Observe us on Twitter and LinkedIn to read through extra special content material we publish.
Some sections of this write-up are sourced from: