CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
PSFCNA
---
---
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bullseye
vulnerable
bookworm
no-dsa
bullseye (security)
7.3.5+dfsg-2+deb11u5
fixed
trixie
7.3.19+dfsg-2
fixed
forky
7.3.20+dfsg-4
fixed
sid
7.3.20+dfsg-4
fixed
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bookworm (security)
vulnerable
python3.9
bullseye
vulnerable
bookworm
no-dsa
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 2.7.18-13ubuntu1.5+esm5
released
focal
Fixed 2.7.18-1~20.04.7+esm6
released
bionic
Fixed 2.7.17-1~18.04ubuntu1.13+esm10
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18+esm15
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm28
released
python3.4
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm14
released
python3.5
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm16
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm4
released
python3.6
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.13+esm3
released
python3.7
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.7.5-2ubuntu1~18.04.2+esm4
released
python3.8
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.8.10-0ubuntu1~20.04.14
released
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm3
released
python3.9
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.9.5-3ubuntu0~20.04.1+esm3
released
python3.10
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.10.12-1~22.04.8
released
focal
dne
python3.11
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.11.0~rc1-1~22.04.1~esm2
released
focal
dne
python3.12
questing
dne
plucky
dne
oracular
not-affected
noble
not-affected
jammy
dne
focal
dne
python3.13
questing
not-affected
plucky
not-affected
oracular
not-affected
noble
dne
jammy
dne
focal
dne
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5
https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550
https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132
https://github.com/python/cpython/issues/103848
https://github.com/python/cpython/pull/103849
https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20250411-0004/