SUNNYVALE, Calif. /California Newswire/ — A vulnerability has been discovered in Python’s native urllib.parse function (CVE-2023-24329) by cybersecurity researcher Yebo Cao. This vulnerability has the potential to enable server-side request forgery (SSRF) and remote code execution (RCE) in a wide range of scenarios by bypassing the protections set by the developer for scheme and host.
Cao, a master’s student at Carnegie Mellon University, owns an Offensive Security Certified Professional (OSCP) certificate and is one of the top 100 security researchers at Bugcrowd. He found that the urllib.parse function has a parsing issue that affects the parsing of the hostname and scheme, causing blocklisting and allowlisting methods to fail.
urllib.parse is a basic URL parsing function widely used in various applications, and one of Python’s core functions is urlparse. This issue is caused when the entire URL starts with blank characters.
“I personally think the impact of this vulnerability is huge because this urlparse() library is widely used,” Cao said. “Although allowlisting and blocklisting are commonly used security mechanisms in software development, in the affected version of Python’s urllib.parse function, the vulnerability can be exploited to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.”
Blocklisting and allowlisting are commonly used security mechanisms that help to prevent unauthorized access or actions. Allowlisting is a mechanism that allows only certain things, such as IP addresses, domain names, or file types, while blocklisting is a mechanism that prevents access to certain things, such as websites or file extensions. However, the vulnerability in the affected version of Python’s urllib.parse function can render both of these mechanisms ineffective, thus increasing the risk of exploitation.
Cao’s analysis of the vulnerability, which can be found at https://pointernull.com/security/python-url-parse-problem.html, reveals that allowlisting is also breakable in the affected version of Python. This means that an attacker can potentially exploit the vulnerability to bypass both blocklisting and allowlisting, making it easier to gain unauthorized access.
The vulnerability has been fixed in the latest version of Python, 3.11. However, earlier versions of Python remain vulnerable to exploitation. Users of earlier versions of Python are advised to update to the latest version as soon as possible to mitigate the risk of exploitation.
Cao’s discovery highlights the importance of ongoing security research and the need to remain vigilant against potential vulnerabilities in widely used software libraries. Vulnerabilities in such libraries can have far-reaching consequences, potentially affecting numerous applications and systems that rely on them.
To further mitigate the risk of exploitation, developers are advised to conduct regular vulnerability assessments and to keep their software up to date with the latest security patches. Additionally, developers should consider implementing other security mechanisms, such as threat modeling and input validation, to help prevent unauthorized access or actions.
In conclusion, the discovery of this vulnerability in Python’s urllib.parse function serves as a reminder of the ongoing need for robust cybersecurity practices and the importance of staying vigilant against potential vulnerabilities in widely used software libraries.
About Yebo Cao:
Yebo Cao is an information security expert from Carnegie Mellon University who has been acknowledged by various companies, including Google, Microsoft, and Oracle, for discovering vulnerabilities in their products.
Learn more: https://pointernull.com/
Learn More: https://pointernull.com/
This version of news story was published on and is Copr. © 2023 California Newswire® (CaliforniaNewswire.com) – part of the Neotrope® News Network, USA – all rights reserved.
Information is believed accurate but is not guaranteed. For questions about the above news, contact the company/org/person noted in the text and NOT this website.