CVE-2024-37891 – Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3

https://notcve.org/view.php?id=CVE-2024-37891

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. • https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf https://access.redhat.com/security/cve/CVE-2024-37891 https://bugzilla.redhat.com/show_bug.cgi?id=2292788 • CWE-669: Incorrect Resource Transfer Between Spheres •