Fluid Attacks Database

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| =7.3.11+dfsg-2+deb12u2 \|\| =7.3.11+dfsg-2+deb12u3 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4	-
debian 14	pypy3	>=0 <7.3.18+dfsg-1	7.3.18+dfsg-1
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| =3.11.2-6+deb12u2 \|\| =3.11.2-6+deb12u3 \|\| =3.11.2-6+deb12u4 \|\| >=0 <3.11.2-6+deb12u5	3.11.2-6+deb12u5
debian 11	pypy3	=7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| =7.3.5+dfsg-2+deb11u3 \|\| =7.3.5+dfsg-2+deb11u4 \|\| >=0 <7.3.5+dfsg-2+deb11u5	7.3.5+dfsg-2+deb11u5
debian 13	pypy3	>=0 <7.3.18+dfsg-1	7.3.18+dfsg-1
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| >=0 <3.9.2-1+deb11u2	3.9.2-1+deb11u2
rpm rhel8	python3	<0:3.6.8-69.el8_10	0:3.6.8-69.el8_10
rpm rhel8	python39-devel	<0:3.9.25-2.module+el8.10.0+23718+1842ae33	0:3.9.25-2.module+el8.10.0+23718+1842ae33
rpm rhel9	python3.9	<0:3.9.21-1.el9_5	0:3.9.21-1.el9_5
rpm rhel8	python39	<0:3.9.25-2.module+el8.10.0+23718+1842ae33	0:3.9.25-2.module+el8.10.0+23718+1842ae33

Aliases

1. CVE-2024-111682. NVD-2024-111683. OSV-DEBIAN-2024-111684. OSV-2024-111685. SECURITY-TRACKER-CVE-2024-11168