Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
A high-severity vulnerability exists in the Python URL parsing function that can be used to bypass domain or protocol filtering methods implemented through intercept lists, resulting in arbitrary file reading and command execution consequences. The vulnerability is numbered CVE-2023-24329 and has a CVSS score of 7.5.
CERT/CC issued a security bulletin last Friday stating, "When the entire URL starts with a null character, there is a parsing problem with urlparse. This vulnerability affects the parsing of hostnames and schemas, which can eventually cause any blocking list methods to fail."
Yebo Cao, the researcher who discovered and reported the vulnerability, said that the vulnerability has been fixed in the following versions:
>= 3.12
3.11.x >= 3.11.4
3.10.x >= 3.10.12
3.9.x >= 3.9.17
3.8.x >= 3.8.17 and
3.7.x >= 3.7.17
Urllib.parse is a widely used parsing function, most likely breaking down a URL into its components, or combining those components into a URL string. The vulnerability is caused by a lack of input validation, thus allowing an attacker to provide a URL starting with a null character (such as "https://youtube[.]com") to bypass the blocking manifest method.
The researcher mentioned, "Although the blocking list is considered a bad choice, it is still required in many scenarios. This vulnerability allows attackers to bypass the protection measures that developers have set for schemas and hosts. The vulnerability is in Many scenarios can lead to SSRF and RCE consequences."
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
Malicious PyPI package bypasses detection through compiled Python code
Python Developers Alert: PyPI Trojan Package Fakes Popular Libraries to Launch Attacks
Prototype Pollution Vulnerability Variant Exists in Python
W4SP Stealer Targets Python Developers in Supply Chain Attack
This Python 0day has existed for 15 years and has affected more than 350,000 open source projects
Original link
https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~