New Python URL Parsing Flaw Could Enable Command Execution Attacks
12-Aug-23
The Python URL parsing function contains a high-severity security issue that might be used to go through domain or protocol filtering techniques used with a blocklist, leading to arbitrary file reading and command execution. The vulnerability has the CVE-2023-24329 identification and a CVSS score of 7.5. Yebo Cao, a security researcher, is credited with finding and disclosing the problem in August 2022.
In an advisory published on Friday, the CERT Coordination Center stated that “urlparse has a parsing problem when the entire URL starts with blank characters.” This issue finally results in the failure of all blocklisting techniques and impacts both the parsing of hostname and scheme. urllib.parse is a popular parsing function that allows for the breakdown of URLs.
