CVE-2024-37891

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidental...

CVE-2024-37891

CVE-2024-37891 affects urllib3 (Python HTTP client) across multiple distributions (e.g., python3-urllib3, python3.13-pip, python-pip, etc.). The issue: when not using urllib3’s ProxyManager proxy support, a configured Proxy-Authorization header could be sent, and urllib3 may not strip it on cross...

CVE-2024-37891 Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidental...

CVE-2024-37891 Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidental...

urllib3 Security Vulnerabilities

urllib3 is a Python HTTP library. It features thread-safe connection pooling, file publishing support, and more. A security vulnerability exists in urllib3 that stems from not stripping the proxy authorization request header during cross-domain redirects...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2024:1836-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1836-1 advisory. - CVE-2024-30260: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline...

SUSE-SU-2024:1837-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: - CVE-2024-30260: undici: proxy-authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline bsc1222530 - CVE-2024-30261: undici: Ensure that integrity cannot be tampered with bsc1222603...

RHEL 6 : python-requests (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - python-requests: Redirect from HTTPS to HTTP does not remove Authorization header CVE-2018-18074 - Reques...

NewStart CGSL CORE 5.04 / MAIN 5.04 : python-requests Multiple Vulnerabilities (NS-SA-2024-0014)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python-requests packages installed that are affected by multiple vulnerabilities: - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-htt...

SUSE-SU-2024:1309-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

SUSE-SU-2024:1307-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

CVE-2024-30260

...

Internet Bug Bounty: Proxy-Authorization header not cleared on cross-origin redirect in undici.request

The Proxy-Authorization header was not cleared on cross-origin redirects in the Undici HTTP client library. This issue was reported and patched in later versions of Undici...

CVE-2024-30260

A flaw was found in the nodejs-undici package. Proxy-Authorization headers are not cleared on cross-origin redirects, which can allow for the exposure of sensitive data or allow an attacker to capture the persistent proxy-authentication header. Mitigation Mitigation for this issue is either not...

AZL-39734 CVE-2024-30260 affecting package nodejs for versions less than 20.14.0-1

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...

DEBIAN-CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...

CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...

CVE-2024-30260 Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...

CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...

Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline

Impact Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. Workarounds...