CVE-2023-24329: Python urllib.parse Flaw Allows Attackers to Bypass Blocklisting
A vulnerability has been discovered in the Python urllib.parse component that allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. This vulnerability, which has been assigned the identifier CVE-2023-24329, has a CVSS score of 7.5 and could be exploited to cause a variety of security problems, including arbitrary file reads, arbitrary command execution, SSRF, and CSRF.
In August 2022, security researcher Yebo Cao discovered a dangerous flaw in the
urllib.parse component of Python’s versions preceding v3.11. This seemingly simple issue has left many developers puzzled, for it allows attackers to craftily bypass blocklisting methods by supplying a URL that starts with blank characters.
urlparse() APIs do not perform validation of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity,” the CERT Coordination Center (CERT/CC) said in a Friday advisory.