Login Sign Up

CVE-2023-24329

7.5 HIGH

📋 TL;DR

This vulnerability in Python's urllib.parse component allows attackers to bypass URL blocklisting mechanisms by using URLs that begin with blank characters (like spaces or tabs). This affects applications using Python versions before 3.11.4 that rely on URL validation or filtering. Attackers could potentially access blocked resources or services.

💻 Affected Systems

Products:
  • Python
  • Applications using Python's urllib.parse
Versions: Python versions before 3.11.4
Operating Systems: All operating systems running affected Python versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using urllib.parse for URL validation/blocklisting. Applications not using this component are not vulnerable.

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Management Services For Element Software by Netapp

View all CVEs affecting Management Services For Element Software →

Management Services For Netapp Hci by Netapp

View all CVEs affecting Management Services For Netapp Hci →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass security controls to access restricted internal services, sensitive APIs, or administrative interfaces, leading to data breaches or system compromise.

🟠

Likely Case

Bypass of URL filtering/validation in web applications, allowing access to blocked domains or endpoints that should be restricted.

🟢

If Mitigated

Limited impact if applications implement additional validation layers or don't rely solely on urllib.parse for URL security.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the attacker to control URL input to vulnerable applications. Simple to exploit with knowledge of the bypass technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.11.4 and later

Vendor Advisory: https://github.com/python/cpython/issues/102153

Restart Required: Yes

Instructions:

1. Upgrade Python to version 3.11.4 or later. 2. For Linux systems: Use package manager (apt/yum) to update python3 package. 3. For Windows: Download and install latest Python from python.org. 4. Restart all Python applications/services.

🔧 Temporary Workarounds

Input sanitization workaround

all

Strip leading whitespace from URL inputs before processing with urllib.parse

url_input = url_input.lstrip()

Alternative URL parsing

all

Use alternative URL parsing libraries or implement custom validation

🧯 If You Can't Patch

  • Implement strict input validation that strips or rejects URLs with leading whitespace
  • Use web application firewalls (WAF) with rules to detect and block URLs with leading whitespace

🔍 How to Verify

Check if Vulnerable:

Check Python version with 'python3 --version' or 'python --version'. If version is below 3.11.4, system is vulnerable.

Check Version:

python3 --version

Verify Fix Applied:

After patching, verify Python version is 3.11.4 or higher. Test URL parsing with leading whitespace to confirm proper handling.

📡 Detection & Monitoring

Log Indicators:

  • URLs in logs with leading whitespace characters
  • Failed authentication attempts with unusual URL formats
  • Access to normally blocked endpoints

Network Indicators:

  • HTTP requests with URLs containing leading %20 (space) or %09 (tab) encodings
  • Unusual traffic patterns to restricted services

SIEM Query:

source="*web.log*" AND (url=" %*" OR url="\t%*")

📊 Metadata

CVE ID: CVE-2023-24329
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-20
Published: February 17, 2023
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24329, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)