The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/11xxx/CVE-2024-11168.json",
"cna_assigner": "PSF"
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.9.21"
},
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.16"
},
{
"introduced": "3.11.0"
},
{
"fixed": "3.11.4"
},
{
"introduced": "3.12.0a1"
},
{
"fixed": "3.12.0b1"
}
]
}