8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
36.2%
urllib3 doesn’t treat the Cookie
HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie
header and unknowingly leak information via HTTP redirects to a different origin if that user doesn’t disable redirects explicitly.
Users must handle redirects themselves instead of relying on urllib3’s automatic redirects to achieve safe processing of the Cookie
header, thus we decided to strip the header by default in order to further protect users who aren’t using the correct approach.
We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:
Cookie
header on requests, which is mostly typical for impersonating a browser.redirects=False
when sending requests.Cookie
header.github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-192.yaml
github.com/urllib3/urllib3
github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
lists.debian.org/debian-lts-announce/2023/10/msg00012.html
lists.fedoraproject.org/archives/list/[email protected]/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
lists.fedoraproject.org/archives/list/[email protected]/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY
lists.fedoraproject.org/archives/list/[email protected]/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ
nvd.nist.gov/vuln/detail/CVE-2023-43804