Описание
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
A flaw was found in urllib3. The library fails to properly validate redirect URLs, allowing an attacker to manipulate redirect chains when used in environments like Pyodide utilizing the JavaScript Fetch API. This lack of validation can enable a remote attacker to control the redirect destination, leading to arbitrary URL redirection. Consequently, an attacker can redirect users to malicious websites. This
vulnerability stems from a failure to constrain the redirect target.
Отчет
The vulnerability lies in the urllib3 library's inability to control HTTP redirects when executed within a Pyodide runtime. This can lead to Server-Side Request Forgery (SSRF) attacks, where an attacker can induce the application to make requests to unintended internal or external resources. While urllib3 is a ubiquitous library in the Python ecosystem and is present in many Red Hat products, the vulnerability is specific to its use within the less common Pyodide (Python in a browser) environment. The attack complexity is high as it requires a specific application context where user-supplied input is used to construct a request URL in a Pyodide-based application that also attempts to mitigate SSRF by disabling redirects. The impact is primarily on confidentiality, as a successful exploit could lead to the disclosure of sensitive information from the server's local network. Given the specific and less common configuration required for exploitation, the severity is rated as Moderate.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-agent-rhel9 | Out of support scope | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-controller-rhel9 | Out of support scope | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-rhel9 | Out of support scope | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-rhel9 | Fix deferred | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-webhook-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-istio-csr-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Fix deferred | ||
| Confidential Compute Attestation | confidential-compute-attestation-tech-preview/trustee-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
urllib3 is a user-friendly HTTP client library for Python. Starting in ...
urllib3 does not control redirects in browsers and Node.js
EPSS
5.3 Medium
CVSS3