VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1cgk-q3r3-aaam

Essentials
Severities (103)
References (43)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1cgk-q3r3-aaam
Aliases	CVE-2024-37891 GHSA-34jh-p97f-mpxf
Summary	urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. ## Affected usages We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: * Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. * Not disabling HTTP redirects. * Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. ## Remediation * Using the `Proxy-Authorization` header with urllib3's `ProxyManager`. * Disabling HTTP redirects using `redirects=False` when sending requests. * Not using the `Proxy-Authorization` header.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-669	Incorrect Resource Transfer Between Spheres
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	4.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00205	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00205	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00205	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00222	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00222	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00222	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00222	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
epss	0.00652	https://api.first.org/data/v1/epss?cve=CVE-2024-37891
cvssv3.1	4.4	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-34jh-p97f-mpxf
cvssv3.1	4.4	https://github.com/urllib3/urllib3
generic_textual	MODERATE	https://github.com/urllib3/urllib3
cvssv3.1	4.4	https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
generic_textual	MODERATE	https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
cvssv3.1	4.4	https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
generic_textual	MODERATE	https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
cvssv3.1	4.4	https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
generic_textual	MODERATE	https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
cvssv3.1	4.4	https://nvd.nist.gov/vuln/detail/CVE-2024-37891
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-37891

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-37891
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/urllib3/urllib3
		https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
		https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
		https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
		https://nvd.nist.gov/vuln/detail/CVE-2024-37891
		https://security.netapp.com/advisory/ntap-20240822-0003/
		https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891
1074149		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149
2292788		https://bugzilla.redhat.com/show_bug.cgi?id=2292788
GHSA-34jh-p97f-mpxf		https://github.com/advisories/GHSA-34jh-p97f-mpxf
RHSA-2024:4422		https://access.redhat.com/errata/RHSA-2024:4422
RHSA-2024:4730		https://access.redhat.com/errata/RHSA-2024:4730
RHSA-2024:4744		https://access.redhat.com/errata/RHSA-2024:4744
RHSA-2024:4746		https://access.redhat.com/errata/RHSA-2024:4746
RHSA-2024:5041		https://access.redhat.com/errata/RHSA-2024:5041
RHSA-2024:5309		https://access.redhat.com/errata/RHSA-2024:5309
RHSA-2024:5526		https://access.redhat.com/errata/RHSA-2024:5526
RHSA-2024:5622		https://access.redhat.com/errata/RHSA-2024:5622
RHSA-2024:5627		https://access.redhat.com/errata/RHSA-2024:5627
RHSA-2024:5633		https://access.redhat.com/errata/RHSA-2024:5633
RHSA-2024:6162		https://access.redhat.com/errata/RHSA-2024:6162
RHSA-2024:6239		https://access.redhat.com/errata/RHSA-2024:6239
RHSA-2024:6240		https://access.redhat.com/errata/RHSA-2024:6240
RHSA-2024:6309		https://access.redhat.com/errata/RHSA-2024:6309
RHSA-2024:6310		https://access.redhat.com/errata/RHSA-2024:6310
RHSA-2024:6311		https://access.redhat.com/errata/RHSA-2024:6311
RHSA-2024:6358		https://access.redhat.com/errata/RHSA-2024:6358
RHSA-2024:7312		https://access.redhat.com/errata/RHSA-2024:7312
RHSA-2024:8035		https://access.redhat.com/errata/RHSA-2024:8035
RHSA-2024:8842		https://access.redhat.com/errata/RHSA-2024:8842
RHSA-2024:8843		https://access.redhat.com/errata/RHSA-2024:8843
RHSA-2024:8906		https://access.redhat.com/errata/RHSA-2024:8906
RHSA-2024:9457		https://access.redhat.com/errata/RHSA-2024:9457
RHSA-2024:9458		https://access.redhat.com/errata/RHSA-2024:9458
RHSA-2024:9922		https://access.redhat.com/errata/RHSA-2024:9922
RHSA-2024:9923		https://access.redhat.com/errata/RHSA-2024:9923
RHSA-2024:9985		https://access.redhat.com/errata/RHSA-2024:9985
USN-7084-1		https://usn.ubuntu.com/7084-1/
USN-7084-2		https://usn.ubuntu.com/7084-2/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/urllib3/urllib3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-37891

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05349
EPSS Score	0.0003
Published At	April 7, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2024-06-18T00:33:48.771432+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json	34.0.0rc4