csaf_microsoft - msrc_cve-2023-45803

MSRC_CVE-2023-45803

Vulnerability from csaf_microsoft - Published: 2023-10-01 00:00 - Updated: 2025-07-18 00:00

Summary

Request body not stripped after redirect in urllib3

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2023-45803 Request body not stripped after redirect in urllib3 - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45803.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Request body not stripped after redirect in urllib3",
    "tracking": {
      "current_release_date": "2025-07-18T00:00:00.000Z",
      "generator": {
        "date": "2025-10-20T00:44:26.421Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2023-45803",
      "initial_release_date": "2023-10-01T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-10-23T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2024-08-29T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2024-08-30T00:00:00.000Z",
          "legacy_version": "1.2",
          "number": "3",
          "summary": "Information published."
        },
        {
          "date": "2024-08-31T00:00:00.000Z",
          "legacy_version": "1.3",
          "number": "4",
          "summary": "Information published."
        },
        {
          "date": "2024-09-01T00:00:00.000Z",
          "legacy_version": "1.4",
          "number": "5",
          "summary": "Information published."
        },
        {
          "date": "2024-09-02T00:00:00.000Z",
          "legacy_version": "1.5",
          "number": "6",
          "summary": "Information published."
        },
        {
          "date": "2024-09-03T00:00:00.000Z",
          "legacy_version": "1.6",
          "number": "7",
          "summary": "Information published."
        },
        {
          "date": "2024-09-05T00:00:00.000Z",
          "legacy_version": "1.7",
          "number": "8",
          "summary": "Information published."
        },
        {
          "date": "2024-09-06T00:00:00.000Z",
          "legacy_version": "1.8",
          "number": "9",
          "summary": "Information published."
        },
        {
          "date": "2024-09-07T00:00:00.000Z",
          "legacy_version": "1.9",
          "number": "10",
          "summary": "Information published."
        },
        {
          "date": "2024-09-08T00:00:00.000Z",
          "legacy_version": "2",
          "number": "11",
          "summary": "Information published."
        },
        {
          "date": "2024-09-11T00:00:00.000Z",
          "legacy_version": "2.1",
          "number": "12",
          "summary": "Information published."
        },
        {
          "date": "2024-10-25T00:00:00.000Z",
          "legacy_version": "2.2",
          "number": "13",
          "summary": "Added python-pip to Azure Linux 3.0\nAdded python-urllib3 to Azure Linux 3.0\nAdded python-urllib3 to CBL-Mariner 2.0"
        },
        {
          "date": "2025-03-14T00:00:00.000Z",
          "legacy_version": "2.3",
          "number": "14",
          "summary": "Added python3 to Azure Linux 3.0\nAdded python-pip to Azure Linux 3.0\nAdded python-urllib3 to Azure Linux 3.0\nAdded python-urllib3 to CBL-Mariner 2.0"
        },
        {
          "date": "2025-07-18T00:00:00.000Z",
          "legacy_version": "3",
          "number": "15",
          "summary": "Added python3 to CBL-Mariner 2.0\nAdded python-urllib3 to CBL-Mariner 2.0\nAdded python3 to Azure Linux 3.0\nAdded python-pip to Azure Linux 3.0\nAdded python-urllib3 to Azure Linux 3.0"
        }
      ],
      "status": "final",
      "version": "15"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 python-urllib3 2.0.4-1",
                "product": {
                  "name": "\u003cazl3 python-urllib3 2.0.4-1",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 python-urllib3 2.0.4-1",
                "product": {
                  "name": "azl3 python-urllib3 2.0.4-1",
                  "product_id": "20028"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 python-urllib3 1.26.18-1",
                "product": {
                  "name": "\u003ccbl2 python-urllib3 1.26.18-1",
                  "product_id": "5"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 python-urllib3 1.26.18-1",
                "product": {
                  "name": "cbl2 python-urllib3 1.26.18-1",
                  "product_id": "18017"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 python-urllib3 2.0.7-1",
                "product": {
                  "name": "\u003cazl3 python-urllib3 2.0.7-1",
                  "product_id": "6"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 python-urllib3 2.0.7-1",
                "product": {
                  "name": "azl3 python-urllib3 2.0.7-1",
                  "product_id": "17714"
                }
              }
            ],
            "category": "product_name",
            "name": "python-urllib3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 python-pip 24.2-1",
                "product": {
                  "name": "\u003cazl3 python-pip 24.2-1",
                  "product_id": "8"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 python-pip 24.2-1",
                "product": {
                  "name": "azl3 python-pip 24.2-1",
                  "product_id": "17690"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 python-pip 24.0-2",
                "product": {
                  "name": "\u003cazl3 python-pip 24.0-2",
                  "product_id": "7"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 python-pip 24.0-2",
                "product": {
                  "name": "azl3 python-pip 24.0-2",
                  "product_id": "17693"
                }
              }
            ],
            "category": "product_name",
            "name": "python-pip"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 python-virtualenv 20.26.6-1",
                "product": {
                  "name": "\u003ccbl2 python-virtualenv 20.26.6-1",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 python-virtualenv 20.26.6-1",
                "product": {
                  "name": "cbl2 python-virtualenv 20.26.6-1",
                  "product_id": "19849"
                }
              }
            ],
            "category": "product_name",
            "name": "python-virtualenv"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 python3 3.9.19-13",
                "product": {
                  "name": "\u003ccbl2 python3 3.9.19-13",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 python3 3.9.19-13",
                "product": {
                  "name": "cbl2 python3 3.9.19-13",
                  "product_id": "19681"
                }
              }
            ],
            "category": "product_name",
            "name": "python3"
          },
          {
            "category": "product_name",
            "name": "azl3 tensorflow 2.16.1-9",
            "product": {
              "name": "azl3 tensorflow 2.16.1-9",
              "product_id": "9"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 python3 3.12.3-5",
            "product": {
              "name": "azl3 python3 3.12.3-5",
              "product_id": "10"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 mozjs 102.15.1-1",
            "product": {
              "name": "azl3 mozjs 102.15.1-1",
              "product_id": "4"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 python-urllib3 2.0.4-1 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-urllib3 2.0.4-1 as a component of Azure Linux 3.0",
          "product_id": "20028-17084"
        },
        "product_reference": "20028",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 tensorflow 2.16.1-9 as a component of Azure Linux 3.0",
          "product_id": "17084-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python3 3.12.3-5 as a component of Azure Linux 3.0",
          "product_id": "17084-10"
        },
        "product_reference": "10",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 python-urllib3 1.26.18-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 python-urllib3 1.26.18-1 as a component of CBL Mariner 2.0",
          "product_id": "18017-17086"
        },
        "product_reference": "18017",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 python-pip 24.2-1 as a component of Azure Linux 3.0",
          "product_id": "17084-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-pip 24.2-1 as a component of Azure Linux 3.0",
          "product_id": "17690-17084"
        },
        "product_reference": "17690",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 python-urllib3 2.0.7-1 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-urllib3 2.0.7-1 as a component of Azure Linux 3.0",
          "product_id": "17714-17084"
        },
        "product_reference": "17714",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 python-pip 24.0-2 as a component of Azure Linux 3.0",
          "product_id": "17084-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-pip 24.0-2 as a component of Azure Linux 3.0",
          "product_id": "17693-17084"
        },
        "product_reference": "17693",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 mozjs 102.15.1-1 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
          "product_id": "19849-17086"
        },
        "product_reference": "19849",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 python3 3.9.19-13 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 python3 3.9.19-13 as a component of CBL Mariner 2.0",
          "product_id": "19681-17086"
        },
        "product_reference": "19681",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-45803",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17084-9",
            "17084-10",
            "17084-4"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20028-17084",
          "18017-17086",
          "17690-17084",
          "17714-17084",
          "17693-17084",
          "19849-17086",
          "19681-17086"
        ],
        "known_affected": [
          "17084-1",
          "17086-5",
          "17084-8",
          "17084-6",
          "17084-7",
          "17086-2",
          "17086-3"
        ],
        "known_not_affected": [
          "17084-9",
          "17084-10",
          "17084-4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-45803 Request body not stripped after redirect in urllib3 - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45803.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-23T00:00:00.000Z",
          "details": "2.0.7-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-1",
            "17084-6"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-23T00:00:00.000Z",
          "details": "1.26.18-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-5"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-23T00:00:00.000Z",
          "details": "24.2-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-8",
            "17084-7"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-23T00:00:00.000Z",
          "details": "Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2023-10-23T00:00:00.000Z",
          "details": "3.9.19-14:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 4.2,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "17084-1",
            "17086-5",
            "17084-8",
            "17084-6",
            "17084-7",
            "17086-2",
            "17086-3"
          ]
        }
      ],
      "title": "Request body not stripped after redirect in urllib3"
    }
  ]
}

CVE-2023-45803 (GCVE-0-2023-45803)

Vulnerability from cvelistv5 – Published: 2023-10-17 19:43 – Updated: 2025-11-03 21:49

Summary

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Severity ?

4.2 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/urllib3/urllib3/security/advis…	x_refsource_CONFIRM
	https://github.com/urllib3/urllib3/commit/4e98d57…	x_refsource_MISC
	https://www.rfc-editor.org/rfc/rfc9110.html#name-get	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
	urllib3	urllib3	Affected: >= 2.0.0, < 2.0.7 Affected: < 1.26.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:49:53.115Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
          },
          {
            "name": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
          },
          {
            "name": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-45803",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-13T15:56:19.991921Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-13T15:56:30.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.7"
            },
            {
              "status": "affected",
              "version": "\u003c 1.26.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn\u0027t remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren\u0027t putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn\u0027t exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren\u0027t expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-03T21:06:24.988Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9"
        },
        {
          "name": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
        }
      ],
      "source": {
        "advisory": "GHSA-g4mx-q9vg-27p4",
        "discovery": "UNKNOWN"
      },
      "title": "Request body not stripped after redirect in urllib3"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-45803",
    "datePublished": "2023-10-17T19:43:45.404Z",
    "dateReserved": "2023-10-13T12:00:50.435Z",
    "dateUpdated": "2025-11-03T21:49:53.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2023-45803

CVE-2023-45803 (GCVE-0-2023-45803)

Tags

Sightings

Nomenclature