Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/requests@2.13.0
Typepypi
Namespace
Namerequests
Version2.13.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.31.0
Latest_non_vulnerable_version2.31.0
Affected_by_vulnerabilities
0
url VCID-k5e5-nfns-gyd8
vulnerability_id VCID-k5e5-nfns-gyd8
summary Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
references
0
reference_url https://github.com/psf/requests
reference_id
reference_type
scores
url https://github.com/psf/requests
1
reference_url https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
reference_id
reference_type
scores
url https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
2
reference_url https://github.com/psf/requests/releases/tag/v2.31.0
reference_id
reference_type
scores
url https://github.com/psf/requests/releases/tag/v2.31.0
3
reference_url https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
reference_id
reference_type
scores
url https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
5
reference_url https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
9
reference_url https://security.gentoo.org/glsa/202309-08
reference_id
reference_type
scores
url https://security.gentoo.org/glsa/202309-08
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-32681
reference_id CVE-2023-32681
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-32681
11
reference_url https://github.com/advisories/GHSA-j8r2-6x86-q33q
reference_id GHSA-j8r2-6x86-q33q
reference_type
scores
url https://github.com/advisories/GHSA-j8r2-6x86-q33q
fixed_packages
0
url pkg:pypi/requests@2.31.0
purl pkg:pypi/requests@2.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.31.0
aliases CVE-2023-32681, GHSA-j8r2-6x86-q33q, PYSEC-2023-74
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k5e5-nfns-gyd8
1
url VCID-y16k-z2b6-8bam
vulnerability_id VCID-y16k-z2b6-8bam
summary The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
references
0
reference_url http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
reference_id
reference_type
scores
url http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
2
reference_url https://access.redhat.com/errata/RHSA-2019:2035
reference_id
reference_type
scores
url https://access.redhat.com/errata/RHSA-2019:2035
3
reference_url https://bugs.debian.org/910766
reference_id
reference_type
scores
url https://bugs.debian.org/910766
4
reference_url https://github.com/advisories/GHSA-x84v-xcm2-53pg
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-x84v-xcm2-53pg
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
6
reference_url https://github.com/requests/requests
reference_id
reference_type
scores
url https://github.com/requests/requests
7
reference_url https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
reference_id
reference_type
scores
url https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
8
reference_url https://github.com/requests/requests/issues/4716
reference_id
reference_type
scores
url https://github.com/requests/requests/issues/4716
9
reference_url https://github.com/requests/requests/pull/4718
reference_id
reference_type
scores
url https://github.com/requests/requests/pull/4718
10
reference_url https://usn.ubuntu.com/3790-1
reference_id
reference_type
scores
url https://usn.ubuntu.com/3790-1
11
reference_url https://usn.ubuntu.com/3790-1/
reference_id
reference_type
scores
url https://usn.ubuntu.com/3790-1/
12
reference_url https://usn.ubuntu.com/3790-2
reference_id
reference_type
scores
url https://usn.ubuntu.com/3790-2
13
reference_url https://usn.ubuntu.com/3790-2/
reference_id
reference_type
scores
url https://usn.ubuntu.com/3790-2/
14
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpujul2022.html
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-18074
reference_id CVE-2018-18074
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-18074
fixed_packages
0
url pkg:pypi/requests@2.20.0
purl pkg:pypi/requests@2.20.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k5e5-nfns-gyd8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.20.0
aliases CVE-2018-18074, GHSA-x84v-xcm2-53pg, PYSEC-2018-28
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y16k-z2b6-8bam
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/requests@2.13.0