requests is vulnerable to Unintended Leaks Of Proxy-Authorization Header. The vulnerability exists in the rebuild_proxies
function of sessions.py
when the credentials are supplied in the URL user information component such as https://username:password@proxy:8080
, which allows an attacker to gain Proxy-Authorization
header information through the destination servers during redirects to an HTTPS origin.
github.com/advisories/GHSA-j8r2-6x86-q33q
github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
github.com/psf/requests/releases/tag/v2.31.0
github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
lists.debian.org/debian-lts-announce/2023/06/msg00018.html
lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
lists.fedoraproject.org/archives/list/[email protected]/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
security.gentoo.org/glsa/202309-08