A high-severity security vulnerability has been disclosed in the Python URL parsing function that could bypass domain or protocol filtering methods implemented by blocklist, resulting in arbitrary file reading and command execution.
The CERT Coordination Center (CERT/CC) said in an advisory on Friday that urlparse can have parsing problems when the entire URL begins with whitespace characters. "This issue affects hostname and scheme resolution, ultimately causing any interception list approach to fail."
The vulnerability is CVE-2023-24329 and has a CVSS score of 7.5. Security researcher Yebo Cao discovered and reported the vulnerability in August 2022. This vulnerability has been resolved in the following versions:
- >= 3.12
- 3.11.x >= 3.11.4
- 3.10.x >= 3.10.12
- 3.9.x >= 3.9.17
- 3.8.x >= 3.8.17
- 3.7.x >= 3.7.17
urllib.parse is a widely used parsing function that breaks a URL into its components, or combines them into a single URL string.
CVE-2023-24329 arises due to a lack of input validation, which makes it possible to bypass blocklisting by providing URLs starting with whitespace characters, such as "https://youtube[.]com".
This vulnerability can help attackers bypass protection measures set by the host and facilitate SSRF and RCE in a variety of scenarios.