{ "threat_severity" : "Moderate", "public_date" : "2024-11-12T21:22:23Z", "bugzilla" : { "description" : "python: Improper validation of IPv6 and IPvFuture addresses", "id" : "2325776", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2325776" }, "cvss3" : { "cvss3_base_score" : "3.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-1287", "details" : [ "The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.", "A flaw was found in Python. The `urllib.parse.urlsplit()` and `urlparse()` functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10779", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3-0:3.6.8-69.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-18T00:00:00Z", "advisory" : "RHSA-2025:23530", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39:3.9-8100020251126112422.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-18T00:00:00Z", "advisory" : "RHSA-2025:23530", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39-devel:3.9-8100020251126112422.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10779", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "python3-0:3.6.8-69.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-12-12T00:00:00Z", "advisory" : "RHSA-2024:10983", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.21-1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-12-12T00:00:00Z", "advisory" : "RHSA-2024:10983", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.21-1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "python3.12", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python3.11", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python3.12", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "python3.11", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "python3.12", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-11168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11168\nhttps://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5\nhttps://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550\nhttps://github.com/python/cpython/issues/103848\nhttps://github.com/python/cpython/pull/103849\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/" ], "name" : "CVE-2024-11168", "csaw" : false }