VIR Vulnerability Intelligence Relay

CVE-2024-11168

medium
Published 2024-12-12 ยท Modified 2024-12-16
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.5

Description

Moderate: python3.9:3.9.21 security update

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2024-11168 NameCVE-2024-11168 DescriptionThe urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat,โ€ฆ

CVE-2024-11168

NameCVE-2024-11168
DescriptionThe urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3980-1, DLA-4354-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypy3 (PTS)bullseye7.3.5+dfsg-2+deb11u2vulnerable
bullseye (security)7.3.5+dfsg-2+deb11u5fixed
bookworm7.3.11+dfsg-2+deb12u3vulnerable
trixie7.3.19+dfsg-2fixed
forky7.3.22+dfsg-1fixed
sid7.3.23+dfsg-1fixed
python3.11 (PTS)bookworm3.11.2-6+deb12u7fixed
bookworm (security)3.11.2-6+deb12u3vulnerable
python3.9 (PTS)bullseye3.9.2-1vulnerable
bullseye (security)3.9.2-1+deb11u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypy3sourcebullseye7.3.5+dfsg-2+deb11u5DLA-4354-1
pypy3source(unstable)7.3.18+dfsg-1
python3.11sourcebookworm3.11.2-6+deb12u5
python3.11source(unstable)3.11.4-1
python3.12source(unstable)(not affected)
python3.9sourcebullseye3.9.2-1+deb11u2DLA-3980-1
python3.9source(unstable)(unfixed)

Notes

- python3.12 <not-affected> (Fixed with first upload to Debian unstable)
[bookworm] - pypy3 <no-dsa> (Minor issue)
https://github.com/python/cpython/issues/103848
https://github.com/python/cpython/pull/103849
https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 (v3.12.0b1)
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550 (v3.11.4)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
- python3.12 <not-affected> (Fixed with first upload to Debian unstable)[bookworm] - pypy3 <no-dsa> (Minor issue)https://github.com/python/cpython/issues/103848https://github.com/python/cpython/pull/103849https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 (v3.12.0b1)https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550 (v3.11.4)

OS impact
OSVersionStatusFixed in
rockylinux rocky8fixed
redhat rhel9fixed
suse slesaffected
debian debianbullseyefixed7.3.5+dfsg-2+deb11u5
debian debianforkyfixed7.3.18+dfsg-1
debian debiansidfixed7.3.18+dfsg-1
debian debiantrixiefixed7.3.18+dfsg-1
debian debianbookwormfixed3.11.2-6+deb12u5
almalinux almalinux9fixedpython3-devel-3.9.21-1.el9_5.aarch64.rpm
rockylinux rocky9fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.