Fix bug in urlparse() of urllib.parse that causes URL schemes that begin with a digit, a plus sign, or a minus sign to be parsed incorrectly.
Dates:
Disclosure date: 2022-11-12 (Python issue gh-99418 reported)
Python 3.11.1 (2022-12-06) fixed by commit 72d356e (branch 3.11) (2022-11-13)
Python 3.10 (need commit)
Python 3.7 (need commit)
Python 3.8 (need commit)
Python 3.9 (need commit)
[CVE-2023-24329] urlparse does not correctly handle schemes that begin with ASCII digits, ‘+’, ‘-’, and ‘.’ characters.
Python issue: gh-99418
Creation date: 2022-11-12
Reporter: kenballus
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE ID: CVE-2023-24329
Published: 2023-02-17
Timeline using the disclosure date 2022-11-12 as reference:
2022-11-12: Python issue gh-99418 reported by kenballus
2022-11-13 (+1 days): commit 439b9cf (branch 3.12)
2022-11-13 (+1 days): commit 72d356e (branch 3.11)
2022-12-06 (+24 days): Python 3.11.1 released
2023-02-17 (+97 days): CVE-2023-24329 published
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4