First published: Fri Feb 17 2023(Updated: )
Python could allow a remote attacker to bypass security restrictions, caused by a flaw in the urllib.parse component. By sending a specially-crafted request using URL starts with blank characters, an attacker could exploit this vulnerability to bypass blocklisting methods.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
IBM QRadar SIEM | <=7.5 - 7.5.0 UP7 | |
redhat/python | <3.11 | 3.11 |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.18+ | 2.7.12-1ubuntu0~16.04.18+ |
ubuntu/python3.10 | <3.10.6-1~22.04.2ubuntu1.1 | 3.10.6-1~22.04.2ubuntu1.1 |
ubuntu/python3.10 | <3.10.7-1ubuntu0.4 | 3.10.7-1ubuntu0.4 |
ubuntu/python3.11 | <3.11.1 | 3.11.1 |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.13+ | 3.5.2-2ubuntu0~16.04.13+ |
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.13 | 3.6.9-1~18.04ubuntu1.13 |
ubuntu/python3.8 | <3.8.10-0ubuntu1~20.04.8 | 3.8.10-0ubuntu1~20.04.8 |
ubuntu/python3.9 | <3.9.5-3ubuntu0~20.04.1+ | 3.9.5-3ubuntu0~20.04.1+ |
Python Python | <3.7.17 | |
Python Python | >=3.8.0<3.8.17 | |
Python Python | >=3.9.0<3.9.17 | |
Python Python | >=3.10.0<3.10.12 | |
Python Python | >=3.11.0<3.11.4 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
Netapp Management Services For Element Software | ||
Netapp Management Services For Netapp Hci | ||
NetApp ONTAP Select Deploy administration utility | ||
debian/python2.7 | <=2.7.16-2+deb10u1 | 2.7.16-2+deb10u4 2.7.18-8+deb11u1 |
debian/python3.11 | <=3.11.2-6 | 3.11.9-1 |
debian/python3.7 | <=3.7.3-2+deb10u3<=3.7.3-2+deb10u7 | |
debian/python3.9 | <=3.9.2-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-24329 is an issue in the urllib.parse component of Python before version 3.11.4 that allows attackers to bypass blocklisting methods.
CVE-2023-24329 has a severity rating of high (7).
CVE-2023-24329 affects Python versions up to but excluding 3.11.4.
To fix the vulnerability, users should update their Python installation to version 3.11.4 or later.
More information about CVE-2023-24329 can be found at the following references: [link1](https://pointernull.com/security/python-url-parse-problem.html), [link2](https://github.com/python/cpython/pull/99421), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2174012).