Search for packages
| purl | pkg:deb/debian/python-urllib3@1.26.12-1 |
| Tags | Ghost |
| Next non-vulnerable version | 1.26.12-1+deb12u1 |
| Latest non-vulnerable version | 1.26.12-1+deb12u1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1cgk-q3r3-aaam
Aliases: CVE-2024-37891 GHSA-34jh-p97f-mpxf |
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. ## Affected usages We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. ## Remediation * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c4sy-7zv4-aaas
Aliases: CVE-2023-43804 GHSA-v845-jxx5-vc9f PYSEC-0000-CVE-2023-43804 PYSEC-2023-192 |
`Cookie` HTTP header isn't stripped on cross-origin redirects |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r496-vgsm-aaac
Aliases: CVE-2023-45803 GHSA-g4mx-q9vg-27p4 PYSEC-0000-CVE-2023-45803 PYSEC-2023-212 |
urllib3's request body not stripped after redirect from 303 status changes request method to GET |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2024-12-15T15:28:42.508793+00:00 | Debian Importer | Affected by | VCID-1cgk-q3r3-aaam | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-11-24T03:25:56.623685+00:00 | Debian Importer | Affected by | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-11-24T03:08:15.482936+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-10-11T00:50:28.178127+00:00 | Debian Importer | Affected by | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-10-11T00:34:52.728413+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-09-20T05:21:08.813323+00:00 | Debian Importer | Affected by | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-09-20T05:13:41.040186+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-04-26T05:29:29.372827+00:00 | Debian Importer | Affected by | VCID-r496-vgsm-aaac | None | 34.0.0rc4 |
| 2024-04-26T05:29:28.488674+00:00 | Debian Importer | Affected by | VCID-r496-vgsm-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-26T05:19:22.491993+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | None | 34.0.0rc4 |
| 2024-04-26T05:19:21.690873+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-01-05T09:51:09.303178+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T09:51:06.849777+00:00 | Debian Importer | Affected by | VCID-c4sy-7zv4-aaas | None | 34.0.0rc1 |