PYSEC-2023-192

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-192

Aliases

Published

2023-10-04T17:15:00Z

Modified

2023-11-08T04:13:33.452167Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

References

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: GIT
Repo: https://github.com/urllib3/urllib3
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

644124ecd0b6e417c527191f866daa05a5a2056d

Fixed

01220354d389cd05474713f8c982d05c9b17aafb

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.6

Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.26.17

Affected versions

0.*

0.2

0.3

0.3.1

0.4.0

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.2

1.2.1

1.2.2

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.2

1.8.3

1.9

1.9.1

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.17

1.18

1.18.1

1.19

1.19.1

1.20

1.21

1.21.1

1.22

1.23

1.24

1.24.1

1.24.2

1.24.3

1.25

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

1.25.9

1.25.10

1.25.11

1.26.0

1.26.1

1.26.2

1.26.3

1.26.4

1.26.5

1.26.6

1.26.7

1.26.8

1.26.9

1.26.10

1.26.11

1.26.12

1.26.13

1.26.14

1.26.15

1.26.16

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5