Fluid Attacks Database

Description

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| >=0 <3.9.2-1+deb11u2	3.9.2-1+deb11u2
debian 14	pypy3	>=0 <7.3.12+dfsg-1	7.3.12+dfsg-1
debian 11	pypy3	=7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| >=0 <7.3.5+dfsg-2+deb11u3	7.3.5+dfsg-2+deb11u3
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| >=0 <7.3.11+dfsg-2+deb12u2	7.3.11+dfsg-2+deb12u2
debian 13	pypy3	>=0 <7.3.12+dfsg-1	7.3.12+dfsg-1
debian 11	python2.7	=2.7.18-8 \|\| >=0 <2.7.18-8+deb11u1	2.7.18-8+deb11u1
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| >=0 <3.11.2-6+deb12u2	3.11.2-6+deb12u2
rpm rhel6	python	-	-
rpm rhel7	python	<0:2.7.5-93.el7_9	0:2.7.5-93.el7_9
rpm rhel7	python3	<0:3.6.8-19.el7_9	0:3.6.8-19.el7_9

1-10 of 24

Aliases

1. CVE-2023-243292. NVD-2023-243293. OSV-DEBIAN-2023-243294. OSV-2023-243295. SECURITY-TRACKER-CVE-2023-24329

References

1. https://github.com/H4R335HR/CVE-2023-24329-PoC

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.