Описание
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable au...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 24.2+dfsg-1ubuntu0.1 |
| esm-apps/bionic | released | 9.0.1-2.3~ubuntu1.18.04.8+esm6 |
| esm-apps/focal | released | 20.0.2-5ubuntu1.11 |
| esm-apps/jammy | released | 22.0.2+dfsg-1ubuntu0.5 |
| esm-apps/noble | released | 24.0+dfsg-1ubuntu1.1 |
| esm-apps/xenial | released | 8.1.1-2ubuntu0.6+esm10 |
| esm-infra-legacy/trusty | needs-triage | |
| focal | released | 20.0.2-5ubuntu1.11 |
| jammy | released | 22.0.2+dfsg-1ubuntu0.5 |
| mantic | ignored | end of life, was needs-triage |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 2.0.7-2ubuntu0.1 |
| esm-infra-legacy/trusty | needs-triage | |
| esm-infra/bionic | released | 1.22-1ubuntu0.18.04.2+esm2 |
| esm-infra/focal | not-affected | 1.25.8-2ubuntu0.4 |
| esm-infra/xenial | released | 1.13.1-2ubuntu0.16.04.4+esm2 |
| focal | released | 1.25.8-2ubuntu0.4 |
| jammy | released | 1.26.5-1~exp1ubuntu0.2 |
| mantic | ignored | end of life, was needs-triage |
| noble | released | 2.0.7-1ubuntu0.1 |
| oracular | released | 2.0.7-2ubuntu0.1 |
Показывать по
EPSS
4.4 Medium
CVSS3
Связанные уязвимости
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable au...
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable auto
urllib3 is a user-friendly HTTP client library for Python. When using ...
EPSS
4.4 Medium
CVSS3