CVE-2024-11168: 
Rocky Linux vulnerability analysis and mitigation

The urllib.parse.urlsplit() and urlparse() functions in Python contained a vulnerability (CVE-2024-11168) where they improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This vulnerability was discovered and disclosed on November 12, 2024, affecting multiple Python versions. The issue was not conformant to RFC 3986 specifications and could potentially enable Server-Side Request Forgery (SSRF) if a URL is processed by more than one URL parser (Python Security).

The vulnerability exists in Python's URL parsing functions where they incorrectly retrieve IPv4 addresses and regular name hosts from inside brackets, violating both RFC 3986 and WHATWG specifications. The CVSS v4.0 score is 6.3 (MEDIUM) with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:N, while the CVSS v3.1 score is 3.7 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability could potentially enable Server-Side Request Forgery (SSRF) attacks when a URL is processed by multiple URL parsers. This could lead to security implications particularly in scenarios where URL validation is critical for security controls (Python Security).

The issue has been fixed in multiple Python versions through security patches. Fixes have been backported to Python 3.9, 3.10, and 3.11. Python 3.12 includes the fix in its initial release. Users should upgrade to the patched versions: Python 3.8.10-0ubuntu1~20.04.14 (for Ubuntu 20.04), Python 3.10.12-1~22.04.8 (for Ubuntu 22.04), or later versions (Ubuntu Security).