Main Vulnerability Database SB2025032766

SB2025032766 - SUSE update for python3

Published: March 27, 2025

Security Bulletin ID SB2025032766

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2024-11168)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to insufficient validation of bracketed hosts (e.g. []) within the urllib.parse.urlsplit() and urlparse() functions allowing hosts that weren't IPv6 or IPvFuture. A remote attacker can pass specially crafted IP address to the application to bypass implemented IP-based security checks or perform SSRF attacks.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2025/suse-su-20251041-1/

Vulnerable Software

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
python3-debuginfo: before 3.4.10-25.151.1
python3: before 3.4.10-25.151.1
libpython3_4m1_0: before 3.4.10-25.151.1
python3-debugsource: before 3.4.10-25.151.1
python3-tk: before 3.4.10-25.151.1
python3-curses: before 3.4.10-25.151.1
python3-devel: before 3.4.10-25.151.1
libpython3_4m1_0-32bit: before 3.4.10-25.151.1
libpython3_4m1_0-debuginfo-32bit: before 3.4.10-25.151.1
python3-base-debugsource: before 3.4.10-25.151.1
python3-tk-debuginfo: before 3.4.10-25.151.1
python3-curses-debuginfo: before 3.4.10-25.151.1
libpython3_4m1_0-debuginfo: before 3.4.10-25.151.1
python3-base-debuginfo-32bit: before 3.4.10-25.151.1
python3-devel-debuginfo: before 3.4.10-25.151.1
python3-base: before 3.4.10-25.151.1
python3-base-debuginfo: before 3.4.10-25.151.1