VulnerableCode Package Details - pkg:pypi/urllib3@1.26.18

Search for packages

Vulnerability	Summary	Fixed by
VCID-1cgk-q3r3-aaam Aliases: CVE-2024-37891 GHSA-34jh-p97f-mpxf	urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. ## Affected usages We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. ## Remediation * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header.	1.26.19 Affected by 0 other vulnerabilities. 2.0.0a1 Affected by 0 other vulnerabilities. 2.2.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1cgk-q3r3-aaam
Aliases:
CVE-2024-37891
GHSA-34jh-p97f-mpxf

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. ## Affected usages We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. ## Remediation * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header.

1.26.19
Affected by 0 other vulnerabilities.

2.0.0a1
Affected by 0 other vulnerabilities.

2.2.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-r496-vgsm-aaac	urllib3's request body not stripped after redirect from 303 status changes request method to GET	CVE-2023-45803 GHSA-g4mx-q9vg-27p4 PYSEC-0000-CVE-2023-45803 PYSEC-2023-212

Vulnerability

Summary

Aliases

VCID-r496-vgsm-aaac

urllib3's request body not stripped after redirect from 303 status changes request method to GET

CVE-2023-45803
GHSA-g4mx-q9vg-27p4
PYSEC-0000-CVE-2023-45803
PYSEC-2023-212

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-20T17:03:41.891745+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	36.1.3
2025-06-03T23:40:03.936857+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	36.1.0
2025-06-02T23:38:20.257835+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	36.1.2
2025-04-03T22:15:43.731373+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	36.0.0
2025-02-18T04:01:30.110252+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	35.1.0
2024-11-21T01:10:55.378065+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	35.0.0
2024-11-19T19:44:43.480983+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.3.2
2024-11-19T15:50:03.779705+00:00	GitLab Importer	Fixing	VCID-r496-vgsm-aaac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2023-45803.yml	34.3.2
2024-11-19T00:59:37.381797+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	34.3.2
2024-10-15T19:17:33.470406+00:00	GithubOSV Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json	34.0.2
2024-10-08T01:37:22.828891+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	34.0.2
2024-10-07T22:16:22.877598+00:00	GHSA Importer	Affected by	VCID-1cgk-q3r3-aaam	https://github.com/advisories/GHSA-34jh-p97f-mpxf	34.0.2
2024-10-07T21:45:08.604059+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.0.2
2024-09-23T01:34:38.067245+00:00	GitLab Importer	Affected by	VCID-1cgk-q3r3-aaam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2024-37891.yml	34.0.1
2024-09-22T22:42:57.020889+00:00	GHSA Importer	Affected by	VCID-1cgk-q3r3-aaam	https://github.com/advisories/GHSA-34jh-p97f-mpxf	34.0.1
2024-09-18T12:28:39.848828+00:00	Pypa Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml	34.0.1
2024-09-18T09:22:34.600853+00:00	GithubOSV Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json	34.0.1
2024-09-17T23:17:53.139558+00:00	PyPI Importer	Fixing	VCID-r496-vgsm-aaac	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.1
2024-09-17T22:28:27.514141+00:00	GitLab Importer	Fixing	VCID-r496-vgsm-aaac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2023-45803.yml	34.0.1
2024-09-17T22:13:33.012316+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.0.1
2024-05-17T20:52:12.587356+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.0.0rc4
2024-05-17T20:52:10.604975+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	None	34.0.0rc4
2024-04-23T23:14:39.746575+00:00	GithubOSV Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json	34.0.0rc4
2024-01-10T02:59:16.659977+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.0.0rc2
2024-01-10T02:59:14.829970+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	None	34.0.0rc2
2024-01-03T18:54:07.850951+00:00	PyPI Importer	Fixing	VCID-r496-vgsm-aaac	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	34.0.0rc1
2024-01-03T18:20:28.926526+00:00	Pypa Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml	34.0.0rc1
2024-01-03T17:54:00.980714+00:00	GitLab Importer	Fixing	VCID-r496-vgsm-aaac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2023-45803.yml	34.0.0rc1
2024-01-03T17:43:44.285734+00:00	GHSA Importer	Fixing	VCID-r496-vgsm-aaac	https://github.com/advisories/GHSA-g4mx-q9vg-27p4	34.0.0rc1