Security News > 2023 > August > New Python URL Parsing Flaw Could Enable Command Execution Attacks

New Python URL Parsing Flaw Could Enable Command Execution Attacks
2023-08-12 06:03

A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution.

"Urlparse has a parsing problem when the entire URL starts with blank characters," the CERT Coordination Center said in a Friday advisory.

"This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail."

Parse is a widely used parsing function that makes it possible to break down URLs to its constituents, or alternatively, combine the components to a URL string.

CVE-2023-24329 arises as a result of a lack of input validation, thereby leading to a scenario where it's possible to get around blocklisting methods by supplying a URL that starts with blank characters.

"Although blocklist is considered an inferior choice, there are many scenarios where blocklist is still needed," Cao said.


News URL

https://thehackernews.com/2023/08/new-python-url-parsing-flaw-enables.html

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-02-17 CVE-2023-24329 Improper Input Validation vulnerability in multiple products
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
network
low complexity
python fedoraproject netapp CWE-20
7.5
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Python 24 2 52 74 31 159