New Python URL parsing vulnerability could lead to command execution attacks

A high-severity security vulnerability in the Python URL parsing function has been disclosed that could bypass the domain or protocol filtering methods implemented by blocklist, leading to arbitrary file reading and command execution.

The CERT Coordination Center said in an August 11 bulletin that urlparse has a parsing problem when the entire URL begins with a whitespace character. This issue affects the parsing of hostnames and schemes, ultimately invalidating any blocklist methods.

The vulnerability is CVE-2023-24329 with a CVSS score of 7.5. It was discovered and reported in August 2022 by security researcher Yebo Cao. The vulnerability has been addressed in the following releases:

· >= 3.12

· 3.11.x >= 3.11.4

· 3.10.x >= 3.10.12

· 3.9.x >= 3.9.17

· 3.8.x >= 3.8.17

· 3.7.x >= 3.7.17

urllib.parse is a widely used parsing function that breaks down a URL into its component parts or merges the parts into a single URL string.

CVE-2023-24329 occurs due to a lack of input validation, which makes it possible to bypass the URL by providing a URL that begins with a whitespace character (e.g., https://youtube[.] com) to bypass blocklisting.

The vulnerability could help attackers bypass protections set by the host while powering SSRF and RCE in multiple scenarios.