CVE-2023-45803 – Request body not stripped after redirect in urllib3
https://notcve.org/view.php?id=CVE-2023-45803
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. • https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX https://www.rfc-editor.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-25091 – urllib3: urllib3 does not remove the authorization HTTP header when following a cross-origin redirect
https://notcve.org/view.php?id=CVE-2018-25091
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). urllib3 anterior a 1.24.2 no elimina el encabezado HTTP de autorización cuando se sigue una redirección de origen cruzado (es decir, una redirección que difiere en host, puerto o esquema). Esto puede permitir que las credenciales en el encabezado de autorización se expongan a hosts no deseados o se transmitan en texto plano. NOTA: este problema existe debido a una solución incompleta para CVE-2018-20060 (que distinguía entre mayúsculas y minúsculas). • https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2 https://github.com/urllib3/urllib3/issues/1510 https://access.redhat.com/security/cve/CVE-2018-25091 https://bugzilla.redhat.com/show_bug.cgi?id=2244340 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-43804 – `Cookie` HTTP header isn't stripped on cross-origin redirects
https://notcve.org/view.php?id=CVE-2023-43804
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. urllib3 es una librería cliente HTTP fácil de usar para Python. urllib3 no trata el encabezado HTTP "Cookie" de manera especial ni proporciona ayuda para administrar las cookies a través de HTTP, eso es responsabilidad del usuario. Sin embargo, es posible que un usuario especifique un encabezado "Cookie" y, sin saberlo, filtre información a través de redireccionamientos HTTP a un origen diferente si ese usuario no deshabilita los redireccionamientos explícitamente. Este problema se solucionó en urllib3 versión 1.26.17 o 2.0.5. • https://github.com/JawadPy/CVE-2023-43804-Exploit https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5 https://lists.fedoraproject.org/archives/list/package-announc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-33503 – python-urllib3: ReDoS in the parsing of authority part of URL
https://notcve.org/view.php?id=CVE-2021-33503
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Se ha detectado un problema en urllib3 versiones anteriores a 1.26.5. Cuando se proporciona una URL que contiene muchos caracteres @ en el componente authority, la expresión regular de autoridad muestra un retroceso catastrófico, causando una denegación de servicio si fue pasado una URL como parámetro o es redirigido a ella por medio de un redireccionamiento HTTP A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority's regular expression exhibits catastrophic backtracking. • https://github.com/advisories/GHSA-q2q7-5pp4-w6pg https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73 https://security.gentoo.org/glsa/202107-36 https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-33503 ht • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2021-28363
https://notcve.org/view.php?id=CVE-2021-28363
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. La biblioteca urllib3 versiones 1.26.x anteriores a 1.26.4 para Python, omite una comprobación del certificado SSL en algunos casos que involucran HTTPS a proxies HTTPS. La conexión inicial al proxy HTTPS (si no se proporciona un SSLContext por medio de proxy_config) no verifica el nombre de host del certificado. • https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 https://github.com/urllib3/urllib3/commits/main https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL https://pypi.org/project/urllib3/1.26.4 https://security.gentoo.org/glsa/202107-36 https://security.gentoo.org/glsa/202305-02 https://security.netapp.com/advisory/ntap-20240621-0007 htt • CWE-295: Improper Certificate Validation •