New Python URL Parsing Vulnerability Facilitates Command Injection Attacks

New Python URL Parsing Vulnerability Facilitates Command Injection Attacks

The Python URL parsing method has been found to contain a serious security flaw. This weakness might be used to get around domain or protocol filtering systems that depend on a block list. Therefore, it can result in unauthorized file access and the execution of uncontrolled commands.

The issue was identified by the CERT Coordination Centre (CERT/CC) in a Friday alert, which informed readers that a parsing error in the URL parser happens when the entire URL begins with empty characters. This problem affects both hostname and scheme parsing, which ultimately causes all blocklisting methods to fail.

The vulnerability gets a CVSS score of 7.5 and the identifier CVE-2023-24329. Yebo Cao, a security researcher, is credited with finding and disclosing this problem in August 2022. The urllib.parse function is frequently used for URL parsing, allowing URLs to be broken down into their component parts or combined into a URL string. t has been addressed in the following versions –

  • >= 3.12
  • 3.11.x >= 3.11.4
  • 3.10.x >= 3.10.12
  • 3.9.x >= 3.9.17
  • 3.8.x >= 3.8.17, and
  • 3.7.x >= 3.7.17

Due to insufficient input validation, CVE-2023-24329 makes it possible to bypass blocklisting techniques by giving a URL that starts with empty characters, such as “https://youtube[.]com”.

Although a blocklist technique can be viewed as less ideal, Cao stated that there are still many instances where it is necessary. “This flaw makes it possible for an attacker to get through the security measures set up by the developer for both scheme and host. This vulnerability therefore has the potential to enable Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) in a variety of circumstances.

Read Also

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.