Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/urllib3@2.0.6
Typepypi
Namespace
Nameurllib3
Version2.0.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.7.0
Latest_non_vulnerable_version2.7.0
Affected_by_vulnerabilities
0
url VCID-21kr-1hbf-rfag
vulnerability_id VCID-21kr-1hbf-rfag
summary urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml
1
reference_url https://github.com/urllib3/urllib3
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3
2
reference_url https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3
3
reference_url https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
url https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
4
reference_url https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
5
reference_url https://github.com/urllib3/urllib3/releases/tag/1.26.18
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3/releases/tag/1.26.18
6
reference_url https://github.com/urllib3/urllib3/releases/tag/2.0.7
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3/releases/tag/2.0.7
7
reference_url https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
url https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
8
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
13
reference_url https://www.rfc-editor.org/rfc/rfc9110.html#name-get
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
url https://www.rfc-editor.org/rfc/rfc9110.html#name-get
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-45803
reference_id CVE-2023-45803
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-45803
15
reference_url https://github.com/advisories/GHSA-g4mx-q9vg-27p4
reference_id GHSA-g4mx-q9vg-27p4
reference_type
scores
url https://github.com/advisories/GHSA-g4mx-q9vg-27p4
fixed_packages
0
url pkg:pypi/urllib3@2.0.7
purl pkg:pypi/urllib3@2.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ueb4-ur9q-u3e1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.0.7
aliases CVE-2023-45803, GHSA-g4mx-q9vg-27p4, PYSEC-2023-212
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-21kr-1hbf-rfag
1
url VCID-ueb4-ur9q-u3e1
vulnerability_id VCID-ueb4-ur9q-u3e1
summary urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
references
0
reference_url https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
fixed_packages
0
url pkg:pypi/urllib3@2.7.0
purl pkg:pypi/urllib3@2.7.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.7.0
aliases CVE-2026-44431, GHSA-qccp-gfcp-xxvc, PYSEC-2026-141
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ueb4-ur9q-u3e1
Fixing_vulnerabilities
0
url VCID-ah3u-nfq4-dfg6
vulnerability_id VCID-ah3u-nfq4-dfg6
summary urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
references
0
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml
1
reference_url https://github.com/urllib3/urllib3
reference_id
reference_type
scores
url https://github.com/urllib3/urllib3
2
reference_url https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
3
reference_url https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
4
reference_url https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
5
reference_url https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
6
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ
10
reference_url https://security.netapp.com/advisory/ntap-20241213-0007
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20241213-0007
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-43804
reference_id CVE-2023-43804
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-43804
12
reference_url https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3
reference_id CVE-2023-43804-URLLIB3-VULNERABILITY-3
reference_type
scores
url https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3
13
reference_url https://github.com/advisories/GHSA-v845-jxx5-vc9f
reference_id GHSA-v845-jxx5-vc9f
reference_type
scores
url https://github.com/advisories/GHSA-v845-jxx5-vc9f
fixed_packages
0
url pkg:pypi/urllib3@1.26.17
purl pkg:pypi/urllib3@1.26.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-21kr-1hbf-rfag
1
vulnerability VCID-ueb4-ur9q-u3e1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@1.26.17
1
url pkg:pypi/urllib3@2.0.6
purl pkg:pypi/urllib3@2.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-21kr-1hbf-rfag
1
vulnerability VCID-ueb4-ur9q-u3e1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.0.6
aliases CVE-2023-43804, GHSA-v845-jxx5-vc9f, PYSEC-2023-192
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ah3u-nfq4-dfg6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.0.6