Bug 2325776 (CVE-2024-11168) - CVE-2024-11168 python: Improper validation of IPv6 and IPvFuture addresses [NEEDINFO]
Summary: CVE-2024-11168 python: Improper validation of IPv6 and IPvFuture addresses
Keywords:
Status: NEW
Alias: CVE-2024-11168
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2325784 2325785 2325786 2325787 2325788 2325789
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-12 22:01 UTC by OSIDB Bzimport
Modified: 2025-04-11 10:51 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
carnil: needinfo? (prodsec-dev)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:10790 0 None None None 2024-12-04 10:50:02 UTC
Red Hat Product Errata RHBA-2024:10792 0 None None None 2024-12-04 12:31:06 UTC
Red Hat Product Errata RHBA-2024:10809 0 None None None 2024-12-04 21:23:54 UTC
Red Hat Product Errata RHBA-2024:10811 0 None None None 2024-12-04 21:59:21 UTC
Red Hat Product Errata RHBA-2024:10837 0 None None None 2024-12-05 10:23:10 UTC
Red Hat Product Errata RHBA-2024:10875 0 None None None 2024-12-09 09:09:27 UTC
Red Hat Product Errata RHBA-2024:10876 0 None None None 2024-12-09 09:09:39 UTC
Red Hat Product Errata RHBA-2024:10877 0 None None None 2024-12-09 09:09:35 UTC
Red Hat Product Errata RHBA-2024:10878 0 None None None 2024-12-09 09:09:51 UTC
Red Hat Product Errata RHBA-2024:10884 0 None None None 2024-12-09 14:36:19 UTC
Red Hat Product Errata RHBA-2024:10885 0 None None None 2024-12-09 14:07:54 UTC
Red Hat Product Errata RHBA-2024:10922 0 None None None 2024-12-10 14:03:24 UTC
Red Hat Product Errata RHBA-2024:10981 0 None None None 2024-12-12 08:45:03 UTC
Red Hat Product Errata RHBA-2024:10995 0 None None None 2024-12-12 11:46:56 UTC
Red Hat Product Errata RHBA-2024:10997 0 None None None 2024-12-12 12:29:03 UTC
Red Hat Product Errata RHBA-2024:10998 0 None None None 2024-12-12 12:39:49 UTC
Red Hat Product Errata RHBA-2024:10999 0 None None None 2024-12-12 12:57:57 UTC
Red Hat Product Errata RHBA-2024:11000 0 None None None 2024-12-12 13:28:07 UTC
Red Hat Product Errata RHBA-2024:11006 0 None None None 2024-12-12 14:49:51 UTC
Red Hat Product Errata RHBA-2024:11020 0 None None None 2024-12-12 19:14:31 UTC
Red Hat Product Errata RHBA-2024:11036 0 None None None 2024-12-13 09:15:51 UTC
Red Hat Product Errata RHBA-2024:11408 0 None None None 2024-12-18 15:56:54 UTC
Red Hat Product Errata RHBA-2024:11410 0 None None None 2024-12-18 16:16:35 UTC
Red Hat Product Errata RHBA-2024:11542 0 None None None 2024-12-19 13:38:00 UTC
Red Hat Product Errata RHBA-2024:11556 0 None None None 2024-12-19 15:49:09 UTC
Red Hat Product Errata RHBA-2025:0380 0 None None None 2025-01-16 17:06:35 UTC
Red Hat Product Errata RHBA-2025:1237 0 None None None 2025-02-10 16:09:28 UTC
Red Hat Product Errata RHSA-2024:10779 0 None None None 2024-12-04 08:12:31 UTC
Red Hat Product Errata RHSA-2024:10983 0 None None None 2024-12-12 09:15:52 UTC

Description OSIDB Bzimport 2024-11-12 22:01:21 UTC 
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Comment 2 Salvatore Bonaccorso 2024-11-13 08:06:09 UTC 
Is this CVE assignment for https://github.com/python/cpython/issues/64470 ?
Comment 3 Salvatore Bonaccorso 2024-11-13 08:34:04 UTC 
In meanwhile the CVE entry exists, so this is https://www.cve.org/CVERecord?id=CVE-2024-11168
Comment 4 errata-xmlrpc 2024-12-04 08:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10779 https://access.redhat.com/errata/RHSA-2024:10779
Comment 5 errata-xmlrpc 2024-12-12 09:15:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10983 https://access.redhat.com/errata/RHSA-2024:10983
Note You need to log in before you can comment on or make changes to this bug.