pysec - pysec-2023-192

pysec-2023-192

Vulnerability from pysec

Published

2023-10-04 17:15

Modified

2023-10-10 14:28

Severity

8.1 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "urllib3",
        "purl": "pkg:pypi/urllib3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "644124ecd0b6e417c527191f866daa05a5a2056d"
            },
            {
              "fixed": "01220354d389cd05474713f8c982d05c9b17aafb"
            }
          ],
          "repo": "https://github.com/urllib3/urllib3",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.6"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "1.26.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.2",
        "0.3",
        "0.3.1",
        "0.4.0",
        "0.4.1",
        "1.0",
        "1.0.1",
        "1.0.2",
        "1.1",
        "1.10",
        "1.10.1",
        "1.10.2",
        "1.10.3",
        "1.10.4",
        "1.11",
        "1.12",
        "1.13",
        "1.13.1",
        "1.14",
        "1.15",
        "1.15.1",
        "1.16",
        "1.17",
        "1.18",
        "1.18.1",
        "1.19",
        "1.19.1",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.20",
        "1.21",
        "1.21.1",
        "1.22",
        "1.23",
        "1.24",
        "1.24.1",
        "1.24.2",
        "1.24.3",
        "1.25",
        "1.25.1",
        "1.25.10",
        "1.25.11",
        "1.25.2",
        "1.25.3",
        "1.25.4",
        "1.25.5",
        "1.25.6",
        "1.25.7",
        "1.25.8",
        "1.25.9",
        "1.26.0",
        "1.26.1",
        "1.26.10",
        "1.26.11",
        "1.26.12",
        "1.26.13",
        "1.26.14",
        "1.26.15",
        "1.26.16",
        "1.26.2",
        "1.26.3",
        "1.26.4",
        "1.26.5",
        "1.26.6",
        "1.26.7",
        "1.26.8",
        "1.26.9",
        "1.3",
        "1.4",
        "1.5",
        "1.6",
        "1.7",
        "1.7.1",
        "1.8",
        "1.8.2",
        "1.8.3",
        "1.9",
        "1.9.1",
        "2.0.0",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43804",
    "GHSA-v845-jxx5-vc9f"
  ],
  "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn\u0027t treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn\u0027t disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.",
  "id": "PYSEC-2023-192",
  "modified": "2023-10-10T14:28:19.389317+00:00",
  "published": "2023-10-04T17:15:00+00:00",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
    },
    {
      "type": "FIX",
      "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
    },
    {
      "type": "FIX",
      "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
    },
    {
      "type": "ARTICLE",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

ghsa-v845-jxx5-vc9f

Vulnerability from github

Published

2023-10-02 23:27

Modified

2023-10-02 23:27

Severity

5.9 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

`Cookie` HTTP header isn't stripped on cross-origin redirects

Details

urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.

Users must handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the Cookie header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.

Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)
Using the Cookie header on requests, which is mostly typical for impersonating a browser.
Not disabling HTTP redirects
Either not using HTTPS or for the origin server to redirect to a malicious origin.

Remediation

Upgrading to at least urllib3 v1.26.17 or v2.0.6
Disabling HTTP redirects using redirects=False when sending requests.
Not using the Cookie header.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "urllib3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "urllib3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.26.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-02T23:27:05Z",
    "nvd_published_at": "2023-10-04T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "urllib3 doesn\u0027t treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn\u0027t disable redirects explicitly.\n\nUsers **must** handle redirects themselves instead of relying on urllib3\u0027s automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren\u0027t using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)\n* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.\n* Not disabling HTTP redirects\n* Either not using HTTPS or for the origin server to redirect to a malicious origin.\n\n## Remediation\n\n* Upgrading to at least urllib3 v1.26.17 or v2.0.6\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Cookie` header.",
  "id": "GHSA-v845-jxx5-vc9f",
  "modified": "2023-10-02T23:27:05Z",
  "published": "2023-10-02T23:27:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/urllib3/urllib3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`Cookie` HTTP header isn\u0027t stripped on cross-origin redirects"
}

cve-2023-43804

Vulnerability from cvelistv5

Published

2023-10-04 16:01

Modified

2024-08-19 07:48

Severity

5.9 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

`Cookie` HTTP header isn't stripped on cross-origin redirects

References

URL	Tags
https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f	x_refsource_CONFIRM
https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb	x_refsource_MISC
https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/

Impacted products

Vendor	Product
urllib3	urllib3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-19T07:48:07.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
          },
          {
            "name": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
          },
          {
            "name": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.6"
            },
            {
              "status": "affected",
              "version": "\u003c 1.26.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn\u0027t treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn\u0027t disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-04T16:01:50.447Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"
        }
      ],
      "source": {
        "advisory": "GHSA-v845-jxx5-vc9f",
        "discovery": "UNKNOWN"
      },
      "title": "`Cookie` HTTP header isn\u0027t stripped on cross-origin redirects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-43804",
    "datePublished": "2023-10-04T16:01:50.447Z",
    "dateReserved": "2023-09-22T14:51:42.340Z",
    "dateUpdated": "2024-08-19T07:48:07.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

pysec-2023-192

Vulnerability from pysec

ghsa-v845-jxx5-vc9f

Vulnerability from github

Affected usages

Remediation

cve-2023-43804

Vulnerability from cvelistv5

Tags