Описание
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python3.12 | not-affected | package | ||
| python3.11 | fixed | 3.11.4-1 | package | |
| python3.11 | fixed | 3.11.2-6+deb12u5 | bookworm | package |
| python3.9 | removed | package | ||
| pypy3 | fixed | 7.3.18+dfsg-1 | package | |
| pypy3 | no-dsa | bookworm | package |
Примечания
https://github.com/python/cpython/issues/103848
https://github.com/python/cpython/pull/103849
https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 (v3.12.0b1)
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550 (v3.11.4)
EPSS
Связанные уязвимости
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
EPSS