CVE-2023-24329: 
NixOS vulnerability analysis and mitigation

An issue in the urllib.parse component of Python before version 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. The vulnerability, identified as CVE-2023-24329, was discovered in early 2023 and affects multiple Python versions including versions prior to 3.7.17, 3.8.17, 3.9.17, 3.10.12, and 3.11.4 (CERT VU, NVD).

The vulnerability exists in the urlparse function's handling of URLs that begin with blank characters. The issue affects both the parsing of hostname and scheme components, which can cause any blocklisting methods to fail. The urlsplit() and urlparse() APIs do not perform validation of inputs and may not raise errors on inputs that other applications consider invalid. Instead of raising exceptions on unusual input, they may return component parts as empty strings or contain more data than intended (CERT VU). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NetApp Advisory).

The vulnerability can allow attackers to bypass domain or protocol filtering methods implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF (Server-Side Request Forgery), and other security issues. Domain name filtering failures may result in re-access to blocked malicious websites or compromise CSRF referer-type defenses. The vulnerability's presence in this fundamental parsing library makes more advanced exploits possible (CERT VU).

The vulnerability has been fixed in Python versions 3.7.17, 3.8.17, 3.9.17, 3.10.12, and 3.11.4 or later. Users are advised to upgrade to these patched versions. For cases where immediate upgrading is not possible, it is recommended to implement additional verification within the code before trusting returned component parts, including validation of schemes, paths, and hostnames (CERT VU).

The vulnerability has received significant attention from major software vendors and security researchers. Multiple Linux distributions including Fedora, Ubuntu, and Debian have issued security advisories and patches. NetApp has conducted extensive analysis of their product portfolio to identify and address affected systems (NetApp Advisory).