CVE-2023-24329: Input Validation
First published: Fri Feb 17 2023(Updated: )
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Python | <3.7.17 | |
| Python Python | >=3.8.0<3.8.17 | |
| Python Python | >=3.9.0<3.9.17 | |
| Python Python | >=3.10.0<3.10.12 | |
| Python Python | >=3.11.0<3.11.4 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Management Services For Element Software | ||
| Netapp Management Services For Netapp Hci | ||
| NetApp ONTAP Select Deploy administration utility | ||
| IBM QRadar SIEM | <=7.5 - 7.5.0 UP7 | |
| redhat/python | <3.11 | 3.11 |
| debian/pypy3 | <=7.3.5+dfsg-2+deb11u2 | 7.3.5+dfsg-2+deb11u3 7.3.11+dfsg-2+deb12u2 7.3.17+dfsg-2 |
| debian/python2.7 | 2.7.18-8+deb11u1 | |
| debian/python3.11 | 3.11.2-6+deb12u4 3.11.2-6+deb12u3 | |
| debian/python3.9 | <=3.9.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/python/cpython/pull/99421
- https://pointernull.com/security/python-url-parse-problem.html
- https://security.netapp.com/advisory/ntap-20230324-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
- https://github.com/python/cpython/issues/102153
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
- https://www.kb.cert.org/vuls/id/127587
- https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- https://launchpad.net/bugs/cve/CVE-2023-24329
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174012
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174017
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174018
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174019
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174020
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174010
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174013
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174014
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174015
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174016
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174009
- https://access.redhat.com/security/cve/CVE-2007-4559
- https://github.com/python/cpython/commit/2f630e1ce18ad2e07428296532a68b11dc66ad10
- https://github.com/python/cpython/commit/610cc0ab1b760b2abaac92bd256b96191c46b941
- https://github.com/python/cpython/commit/f48a96a28012d28ae37a2f4587a780a5eb779946
- https://github.com/python/cpython/pull/104593
- https://access.redhat.com/errata/RHSA-2023:3550
- https://access.redhat.com/errata/RHSA-2023:3556
- https://access.redhat.com/errata/RHSA-2023:3555
- https://access.redhat.com/errata/RHSA-2023:3585
- https://access.redhat.com/errata/RHSA-2023:3591
- https://access.redhat.com/errata/RHSA-2023:3595
- https://access.redhat.com/errata/RHSA-2023:3594
- https://access.redhat.com/errata/RHSA-2023:3776
- https://access.redhat.com/errata/RHSA-2023:3777
- https://access.redhat.com/errata/RHSA-2023:3780
- https://access.redhat.com/errata/RHSA-2023:3781
- https://access.redhat.com/errata/RHSA-2023:3796
- https://access.redhat.com/errata/RHSA-2023:3810
- https://access.redhat.com/errata/RHSA-2023:3811
- https://access.redhat.com/errata/RHSA-2023:3931
- https://access.redhat.com/errata/RHSA-2023:3932
- https://access.redhat.com/errata/RHSA-2023:3934
- https://access.redhat.com/errata/RHSA-2023:3935
- https://access.redhat.com/errata/RHSA-2023:3936
- https://access.redhat.com/errata/RHSA-2023:4004
- https://access.redhat.com/errata/RHSA-2023:4008
- https://access.redhat.com/errata/RHSA-2023:4038
- https://access.redhat.com/errata/RHSA-2023:4032
- https://access.redhat.com/errata/RHSA-2023:4203
- https://access.redhat.com/errata/RHSA-2023:4282
- https://access.redhat.com/errata/RHSA-2023:6793
- https://bugzilla.redhat.com/show_bug.cgi?id=2173917
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
- https://github.com/python/cpython/pull/99446
- https://github.com/python/cpython/commit/439b9cfaf43080e91c4ad69f312f21fa098befc7
- https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
- https://github.com/python/cpython/pull/104575
- https://github.com/python/cpython/pull/104592
- https://github.com/python/cpython/commit/d7f8a5fe07b0ff3a419ccec434cc405b21a5a304
- https://security-tracker.debian.org/tracker/CVE-2023-24329
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247730
- https://www.ibm.com/support/pages/node/7060803 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329
- https://nvd.nist.gov/vuln/detail/CVE-2023-24329
- https://ubuntu.com/security/CVE-2023-24329
Frequently Asked Questions
What is CVE-2023-24329?
CVE-2023-24329 is an issue in the urllib.parse component of Python before version 3.11.4 that allows attackers to bypass blocklisting methods.
How severe is CVE-2023-24329?
CVE-2023-24329 has a severity rating of high (7).
Which software versions are affected by CVE-2023-24329?
CVE-2023-24329 affects Python versions up to but excluding 3.11.4.
How can the vulnerability be fixed?
To fix the vulnerability, users should update their Python installation to version 3.11.4 or later.
Where can I find more information about CVE-2023-24329?
More information about CVE-2023-24329 can be found at the following references: [link1](https://pointernull.com/security/python-url-parse-problem.html), [link2](https://github.com/python/cpython/pull/99421), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174012).
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-24329
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/python
- canonical/python python
- version/python python/3.8.0
- version/python python/3.9.0
- version/python python/3.10.0
- version/python python/3.11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp management services for element software
- canonical/netapp management services for netapp hci
- canonical/netapp ontap select deploy administration utility
- package-manager/debian
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5 - 7.5.0 up7