CVE-2023-43804

Summary

CVE	CVE-2023-43804
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-10-04 17:15:00 UTC
Updated	2024-02-01 00:55:00 UTC
Description	urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Operating System	Fedoraproject	Fedora	38	All	All	All
Operating System	Fedoraproject	Fedora	39	All	All	All
Application	Python	Urllib3	All	All	All	All

References

Reference	Source	Link	Tags
Merge pull request from GHSA-v845-jxx5-vc9f · urllib3/urllib3@644124e · GitHub	MISC	github.com
[SECURITY] Fedora 38 Update: python-urllib3-1.26.17-1.fc38 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] [DLA 3610-1] python-urllib3 security update	MISC	lists.debian.org
[SECURITY] Fedora 37 Update: python-urllib3-1.26.17-1.fc37 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Cookie request header isn't stripped during cross-origin redirects · Advisory · urllib3/urllib3 · GitHub	MISC	github.com
[SECURITY] Fedora 39 Update: python-urllib3-1.26.18-1.fc39 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Backport GHSA-v845-jxx5-vc9f (#3139) · urllib3/urllib3@0122035 · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

161247 Oracle Enterprise Linux Security Update for fence-agents (ELSA-2023-7753)
161270 Oracle Enterprise Linux Security Update for python-urllib3 (ELSA-2024-0116)
161278 Oracle Enterprise Linux Security Update for fence-agents (ELSA-2024-0133)
161310 Oracle Enterprise Linux Security Update for python-urllib3 (ELSA-2024-0464)
199896 Ubuntu Security Notification for pip Vulnerabilities (USN-6473-2)
199914 Ubuntu Security Notification for urllib3 Vulnerabilities (USN-6473-1)
242345 Red Hat Update for fence-agents bug fix, enhancement, and (RHSA-2023:6812)
242488 Red Hat Update for fence-agents (RHSA-2023:7378)
242517 Red Hat Update for fence-agents (RHSA-2023:7528)
242523 Red Hat Update for fence-agents (RHSA-2023:7523)
242574 Red Hat Update for fence-agents (RHSA-2023:7435)
242582 Red Hat Update for fence-agents (RHSA-2023:7753)
242599 Red Hat Update for fence-agents (RHSA-2023:7407)
242603 Red Hat Update for fence-agents (RHSA-2023:7385)
242702 Red Hat Update for OpenStack Platform 17.1 (RHSA-2024:0187)
242724 Red Hat Update for python-urllib3 (RHSA-2024:0300)
242776 Red Hat Update for python-urllib3 (RHSA-2024:0588)
242838 Red Hat Update for python-urllib3 (RHSA-2024:0464)
242884 Red Hat Update for python-urllib3 (RHSA-2024:0116)
284604 Fedora Security Update for python (FEDORA-2023-8f53bfe088)
284619 Fedora Security Update for python (FEDORA-2023-0806784f24)
285185 Fedora Security Update for python (FEDORA-2023-18f03a150d)
296106 Oracle Solaris 11.4 Support Repository Update (SRU) 64.157.2 Missing (CPUOCT2023)
330160 IBM AIX Multiple Vulnerabilities (python_advisory7)
356786 Amazon Linux Security Advisory for python-urllib3 : ALAS2023-2023-454
503369 Alpine Linux Security Update for py3-urllib3
505924 Alpine Linux Security Update for py3-urllib3
6000046 Debian Security Update for python-urllib3 (DLA 3610-1)
673571 EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3316)
673581 EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1096)
673698 EulerOS Security Update for python-pip (EulerOS-SA-2024-1295)
673713 EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3348)
673753 EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1296)
673932 EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3257)
673939 EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1072)
674016 EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3285)
674032 EulerOS Security Update for python-pip (EulerOS-SA-2023-3315)
674084 EulerOS Security Update for python-pip (EulerOS-SA-2023-3347)
755079 SUSE Enterprise Linux Security Update for python-urllib3 (SUSE-SU-2023:4064-1)
755112 SUSE Enterprise Linux Security Update for python-urllib3 (SUSE-SU-2023:4108-1)
907548 Common Base Linux Mariner (CBL-Mariner) Security Update for python-urllib3 (31108-1)
941505 AlmaLinux Security Update for fence-agents (ALSA-2023:7753)
941539 AlmaLinux Security Update for fence-agents (ALSA-2024:0133)
941542 AlmaLinux Security Update for python-urllib3 (ALSA-2024:0116)
941555 AlmaLinux Security Update for python-urllib3 (ALSA-2024:0464)
995496 Python (Pip) Security Update for urllib3 (GHSA-v845-jxx5-vc9f)