Search for vulnerabilities
Vulnerability details: VCID-8k1j-7dnf-c7c9
Vulnerability ID VCID-8k1j-7dnf-c7c9
Aliases CVE-2023-32681
GHSA-j8r2-6x86-q33q
PYSEC-2023-74
Summary Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32681.json
epss 0.06278 https://api.first.org/data/v1/epss?cve=CVE-2023-32681
cvssv3.1 6.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.1 https://github.com/psf/requests
generic_textual MODERATE https://github.com/psf/requests
cvssv3.1 6.1 https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
generic_textual MODERATE https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
ssvc Track https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
cvssv3.1 6.1 https://github.com/psf/requests/releases/tag/v2.31.0
generic_textual MODERATE https://github.com/psf/requests/releases/tag/v2.31.0
ssvc Track https://github.com/psf/requests/releases/tag/v2.31.0
cvssv3.1 6.1 https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
generic_textual MODERATE https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
ssvc Track https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
cvssv3.1 6.1 https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
cvssv3.1 6.1 https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
cvssv3.1 6.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
cvssv3.1 6.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
cvssv3.1 6.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
cvssv3.1 6.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2023-32681
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-32681
cvssv3.1 6.1 https://security.gentoo.org/glsa/202309-08
generic_textual MODERATE https://security.gentoo.org/glsa/202309-08
ssvc Track https://security.gentoo.org/glsa/202309-08
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32681.json
https://api.first.org/data/v1/epss?cve=CVE-2023-32681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/psf/requests
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
https://github.com/psf/requests/releases/tag/v2.31.0
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
https://nvd.nist.gov/vuln/detail/CVE-2023-32681
https://security.gentoo.org/glsa/202309-08
1036693 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036693
2209469 https://bugzilla.redhat.com/show_bug.cgi?id=2209469
cpe:2.3:a:python:requests:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
GHSA-j8r2-6x86-q33q https://github.com/advisories/GHSA-j8r2-6x86-q33q
RHSA-2023:4350 https://access.redhat.com/errata/RHSA-2023:4350
RHSA-2023:4520 https://access.redhat.com/errata/RHSA-2023:4520
RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
RHSA-2023:7034 https://access.redhat.com/errata/RHSA-2023:7034
RHSA-2023:7042 https://access.redhat.com/errata/RHSA-2023:7042
RHSA-2023:7050 https://access.redhat.com/errata/RHSA-2023:7050
RHSA-2024:0299 https://access.redhat.com/errata/RHSA-2024:0299
USN-6155-1 https://usn.ubuntu.com/6155-1/
USN-6155-2 https://usn.ubuntu.com/6155-2/
USN-7568-1 https://usn.ubuntu.com/7568-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32681.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/psf/requests
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/psf/requests/releases/tag/v2.31.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://github.com/psf/requests/releases/tag/v2.31.0
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-32681
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N Found at https://security.gentoo.org/glsa/202309-08
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:35:47Z/ Found at https://security.gentoo.org/glsa/202309-08
Exploit Prediction Scoring System (EPSS)
Percentile 0.90463
EPSS Score 0.06278
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:13:58.025884+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/6155-1/ 36.1.3