The Python URL parsing method has been found to contain a serious security flaw. This weakness might be used to get around domain or protocol filtering systems that depend on a block list. Therefore, it can result in unauthorized file access and the execution of uncontrolled commands.
The issue was identified by the CERT Coordination Centre (CERT/CC) in a Friday alert, which informed readers that a parsing error in the URL parser happens when the entire URL begins with empty characters. This problem affects both hostname and scheme parsing, which ultimately causes all blocklisting methods to fail.
The vulnerability gets a CVSS score of 7.5 and the identifier CVE-2023-24329. Yebo Cao, a security researcher, is credited with finding and disclosing this problem in August 2022. The urllib.parse function is frequently used for URL parsing, allowing URLs to be broken down into their component parts or combined into a URL string. t has been addressed in the following versions –
- >= 3.12
- 3.11.x >= 3.11.4
- 3.10.x >= 3.10.12
- 3.9.x >= 3.9.17
- 3.8.x >= 3.8.17, and
- 3.7.x >= 3.7.17
Due to insufficient input validation, CVE-2023-24329 makes it possible to bypass blocklisting techniques by giving a URL that starts with empty characters, such as “https://youtube[.]com”.
Although a blocklist technique can be viewed as less ideal, Cao stated that there are still many instances where it is necessary. “This flaw makes it possible for an attacker to get through the security measures set up by the developer for both scheme and host. This vulnerability therefore has the potential to enable Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) in a variety of circumstances.
Read Also
- China-Linked Hackers Hit 17 Nations in 3 Years
- Indie Game Threatens Portal 2’s Top Spot on Steam
- Baldur’s Gate 3 Expected to be a Success on PS5
- Major Cybersecurity Agencies Reveal 2022’s Most Exploited Vulnerabilities
Bethany Wilson 
