Search for packages
| purl | pkg:deb/debian/python-urllib3@1.26.12-1%2Bdeb12u1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cgk-q3r3-aaam | urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. ## Affected usages We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. ## Remediation * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header. |
CVE-2024-37891
GHSA-34jh-p97f-mpxf |
| VCID-c4sy-7zv4-aaas | `Cookie` HTTP header isn't stripped on cross-origin redirects |
CVE-2023-43804
GHSA-v845-jxx5-vc9f PYSEC-0000-CVE-2023-43804 PYSEC-2023-192 |
| VCID-r496-vgsm-aaac | urllib3's request body not stripped after redirect from 303 status changes request method to GET |
CVE-2023-45803
GHSA-g4mx-q9vg-27p4 PYSEC-0000-CVE-2023-45803 PYSEC-2023-212 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-21T08:55:06.925222+00:00 | Debian Importer | Fixing | VCID-1cgk-q3r3-aaam | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T02:19:32.723005+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | None | 36.1.3 |
| 2025-06-21T01:55:15.335559+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T21:21:25.529055+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | None | 36.1.3 |
| 2025-06-20T20:29:47.635341+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-05T14:19:04.980135+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 36.1.0 |
| 2025-04-13T02:36:50.583617+00:00 | Debian Oval Importer | Fixing | VCID-c4sy-7zv4-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T02:36:43.768557+00:00 | Debian Oval Importer | Fixing | VCID-r496-vgsm-aaac | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-13T02:36:36.573570+00:00 | Debian Oval Importer | Fixing | VCID-1cgk-q3r3-aaam | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-05T06:11:16.831799+00:00 | Debian Importer | Fixing | VCID-1cgk-q3r3-aaam | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T05:05:29.436051+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | None | 36.0.0 |
| 2025-04-04T04:40:34.161821+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-03T23:59:21.717468+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | None | 36.0.0 |
| 2025-04-03T23:18:06.583490+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-02-22T00:09:35.580373+00:00 | Debian Importer | Fixing | VCID-1cgk-q3r3-aaam | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T14:19:02.163365+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | None | 35.1.0 |
| 2025-02-21T14:19:01.485482+00:00 | Debian Importer | Fixing | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-21T13:59:57.826795+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | None | 35.1.0 |
| 2025-02-21T13:59:56.419838+00:00 | Debian Importer | Fixing | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |