{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/127587#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nurllib.parse is a very basic and widely used basic URL parsing function in various applications.\r\n\r\n### Description\r\nAn issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.\r\n\r\nurlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.\r\n\r\n**URL Parsing Security** *\r\n\r\nThe [`urlsplit()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlsplit \"urllib.parse.urlsplit\") and [`urlparse()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse \"urllib.parse.urlparse\") APIs do not perform **validation** of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.\r\n\r\nInstead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.\r\n\r\nWe recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that `scheme` make sense? Is that a sensible `path`? Is there anything strange about that`hostname`? etc.\r\n\r\nWhat constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living [WHATWG spec](https://url.spec.whatwg.org/#concept-basic-url-parser) describes what user facing web clients such as a web browser require. While [**RFC 3986**](https://datatracker.ietf.org/doc/html/rfc3986.html) is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.\r\n\r\n*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508\r\n\r\n### Impact\r\nDue to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.\r\n\r\nBecause this vulnerability exists in the most basic parsing library, more advanced issues are possible.\r\n\r\n### Solution\r\nThe fixes are in the following releases:\r\n<p>fixed in >= 3.12\r\n<br>fixed in 3.11.x >= 3.11.4\r\n<br>fixed in 3.10.x >= 3.10.12\r\n<br>fixed in 3.9.x >= 3.9.17\r\n<br>fixed in 3.8.x >= 3.8.17\r\n<br>fixed in 3.7.x >= 3.7.17</p>\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Yebo Cao for researching and reporting this vulnerability.\r\n\r\nThis document was written by Ben Koo.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/127587"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329"},{"url":"https://github.com/python/cpython/issues/102153","summary":"https://github.com/python/cpython/issues/102153"}],"title":"Python Parsing Error Enabling Bypass CVE-2023-24329","tracking":{"current_release_date":"2023-08-11T22:22:45+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#127587","initial_release_date":"2023-02-17 00:00:00+00:00","revision_history":[{"date":"2023-08-11T22:22:45+00:00","number":"1.20230811222245.1","summary":"Released on 2023-08-11T22:22:45+00:00"}],"status":"final","version":"1.20230811222245.1"}},"vulnerabilities":[{"title":"urllib.","notes":[{"category":"summary","text":"urllib.parse is a very basic and widely used basic URL parsing function in various applications.\r\n\r\nOne of Python's core functions, urlparse, has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail."}],"cve":"CVE-2023-24329","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#127587"}],"product_status":{"known_affected":["CSAFPID-b9fb4ff0-39ce-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Python","product":{"name":"Python Products","product_id":"CSAFPID-b9fb4ff0-39ce-11f1-8422-122e2785dc9f"}}]}}