A significant-severity security flaw has been disclosed in the Python URL parsing functionality that could be exploited to bypass domain or protocol filtering solutions executed with a blocklist, eventually resulting in arbitrary file reads and command execution.
“urlparse has a parsing challenge when the full URL commences with blank characters,” the CERT Coordination Centre (CERT/CC) claimed in a Friday advisory. “This difficulty has an effect on the two the parsing of hostname and scheme, and finally results in any blocklisting techniques to are unsuccessful.”
The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS rating of 7.5. Security researcher Yebo Cao has been credited with getting and reporting the issue in August 2022. It has been resolved in the following versions –
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
- >= 3.12
- 3.11.x >= 3.11.4
- 3.10.x >= 3.10.12
- 3.9.x >= 3.9.17
- 3.8.x >= 3.8.17, and
- 3.7.x >= 3.7.17
urllib.parse is a widely employed parsing operate that will make it possible to split down URLs to its constituents, or alternatively, incorporate the factors to a URL string.
CVE-2023-24329 occurs as a consequence of a deficiency of enter validation, therefore top to a circumstance exactly where it truly is possible to get close to blocklisting approaches by supplying a URL that commences with blank people (e.g., ” https://youtube[.]com”).
“While blocklist is deemed an inferior option, there are quite a few scenarios in which blocklist is however necessary,” Cao stated. “This vulnerability would aid an attacker to bypass the protections established by the developer for scheme and host. This vulnerability can be envisioned to aid SSRF and RCE in a broad variety of scenarios.”
Uncovered this report fascinating? Observe us on Twitter and LinkedIn to read through extra special content material we publish.
Some sections of this write-up are sourced from:
thehackernews.com