CVE-2023-24329

⚠️ high

Summary

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

CVSS Score

7.5

High

EPSS Score

1.4

Exploit Probability

Published Date

2023-02-17

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,456 vulnerabilities in our database.

#102,448

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Mar 18, 2025

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Last Modified 2025-11-03

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE IDs (Weakness Types)

CWE-20

📦 Affected Products 12

Vendor	Product	Status	Affected Versions
fedoraproject	fedora	Affected	v36
fedoraproject	fedora	Affected	v37
fedoraproject	fedora	Affected	v38
python	python	Affected	≥ 3.10.0 < 3.10.12
python	python	Affected	≥ 3.11.0 < 3.11.4
python	python	Affected	< 3.7.17
python	python	Affected	≥ 3.8.0 < 3.8.17
python	python	Affected	≥ 3.9.0 < 3.9.17
netapp	ontap_select_deploy_administration_utility	Affected	v-
netapp	active_iq_unified_manager	Affected	v-
netapp	management_services_for_element_software	Affected	v-
netapp	management_services_for_netapp_hci	Affected	v-

🔗 References 29

https://github.com/python/cpython/issues/102153

Issue Tracking

https://github.com/python/cpython/pull/99421

Patch

https://lists.debian.org/debian-lts-announce/2023/09...

https://lists.fedoraproject.org/archives/list/packag...

https://pointernull.com/security/python-url-parse-pr...

Exploit Mitigation Technical Description Third Party Advisory

https://security.netapp.com/advisory/ntap-20230324-0...

Third Party Advisory

https://www.kb.cert.org/vuls/id/127587

https://lists.debian.org/debian-lts-announce/2024/11...

https://lists.debian.org/debian-lts-announce/2024/12...

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-7210	⚠️ high	7.5	0.8	`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allow...	2026-05-11
CVE-2026-3087	⚠️ high	7.5	0.2	If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then th...	2026-04-27
CVE-2026-6019	🔶 medium	6.1	0.0	http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It ...	2026-04-22
CVE-2026-35093	⚠️ high	8.8	0.0	A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or ...	2026-04-01
CVE-2026-35094	ℹ️ low	3.3	0.0	A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can expl...	2026-04-01
CVE-2026-3644	⚠️ high	7.5	0.1	The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update()...	2026-03-16

These CVEs affect the same products