{"api_version":"1","generated_at":"2026-04-19T08:17:36+00:00","cve":"CVE-2023-43804","urls":{"html":"https://cve.report/CVE-2023-43804","api":"https://cve.report/api/cve/CVE-2023-43804.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-43804","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-43804"},"summary":{"title":"CVE-2023-43804","description":"urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-10-04 17:15:00","updated_at":"2024-02-01 00:55:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d","name":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-v845-jxx5-vc9f · urllib3/urllib3@644124e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: python-urllib3-1.26.17-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3610-1] python-urllib3 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: python-urllib3-1.26.17-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f","name":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f","refsource":"MISC","tags":[],"title":"Cookie request header isn't stripped during cross-origin redirects · Advisory · urllib3/urllib3 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: python-urllib3-1.26.18-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb","name":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb","refsource":"MISC","tags":[],"title":"Backport GHSA-v845-jxx5-vc9f (#3139) · urllib3/urllib3@0122035 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-43804","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43804","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"43804","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"43804","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"43804","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"43804","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"39","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"43804","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"urllib3","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-43804","qid":"161247","title":"Oracle Enterprise Linux Security Update for fence-agents (ELSA-2023-7753)"},{"cve":"CVE-2023-43804","qid":"161270","title":"Oracle Enterprise Linux Security Update for python-urllib3 (ELSA-2024-0116)"},{"cve":"CVE-2023-43804","qid":"161278","title":"Oracle Enterprise Linux Security Update for fence-agents (ELSA-2024-0133)"},{"cve":"CVE-2023-43804","qid":"161310","title":"Oracle Enterprise Linux Security Update for python-urllib3 (ELSA-2024-0464)"},{"cve":"CVE-2023-43804","qid":"199896","title":"Ubuntu Security Notification for pip Vulnerabilities (USN-6473-2)"},{"cve":"CVE-2023-43804","qid":"199914","title":"Ubuntu Security Notification for urllib3 Vulnerabilities (USN-6473-1)"},{"cve":"CVE-2023-43804","qid":"242345","title":"Red Hat Update for fence-agents bug fix, enhancement, and (RHSA-2023:6812)"},{"cve":"CVE-2023-43804","qid":"242488","title":"Red Hat Update for fence-agents (RHSA-2023:7378)"},{"cve":"CVE-2023-43804","qid":"242517","title":"Red Hat Update for fence-agents (RHSA-2023:7528)"},{"cve":"CVE-2023-43804","qid":"242523","title":"Red Hat Update for fence-agents (RHSA-2023:7523)"},{"cve":"CVE-2023-43804","qid":"242574","title":"Red Hat Update for fence-agents (RHSA-2023:7435)"},{"cve":"CVE-2023-43804","qid":"242582","title":"Red Hat Update for fence-agents (RHSA-2023:7753)"},{"cve":"CVE-2023-43804","qid":"242599","title":"Red Hat Update for fence-agents (RHSA-2023:7407)"},{"cve":"CVE-2023-43804","qid":"242603","title":"Red Hat Update for fence-agents (RHSA-2023:7385)"},{"cve":"CVE-2023-43804","qid":"242702","title":"Red Hat Update for OpenStack Platform 17.1 (RHSA-2024:0187)"},{"cve":"CVE-2023-43804","qid":"242724","title":"Red Hat Update for python-urllib3 (RHSA-2024:0300)"},{"cve":"CVE-2023-43804","qid":"242776","title":"Red Hat Update for python-urllib3 (RHSA-2024:0588)"},{"cve":"CVE-2023-43804","qid":"242838","title":"Red Hat Update for python-urllib3 (RHSA-2024:0464)"},{"cve":"CVE-2023-43804","qid":"242884","title":"Red Hat Update for python-urllib3 (RHSA-2024:0116)"},{"cve":"CVE-2023-43804","qid":"284604","title":"Fedora Security Update for python (FEDORA-2023-8f53bfe088)"},{"cve":"CVE-2023-43804","qid":"284619","title":"Fedora Security Update for python (FEDORA-2023-0806784f24)"},{"cve":"CVE-2023-43804","qid":"285185","title":"Fedora Security Update for python (FEDORA-2023-18f03a150d)"},{"cve":"CVE-2023-43804","qid":"296106","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 64.157.2 Missing (CPUOCT2023)"},{"cve":"CVE-2023-43804","qid":"330160","title":"IBM AIX Multiple Vulnerabilities (python_advisory7)"},{"cve":"CVE-2023-43804","qid":"356786","title":"Amazon Linux Security Advisory for python-urllib3 : ALAS2023-2023-454"},{"cve":"CVE-2023-43804","qid":"503369","title":"Alpine Linux Security Update for py3-urllib3"},{"cve":"CVE-2023-43804","qid":"505924","title":"Alpine Linux Security Update for py3-urllib3"},{"cve":"CVE-2023-43804","qid":"6000046","title":"Debian Security Update for python-urllib3 (DLA 3610-1)"},{"cve":"CVE-2023-43804","qid":"673571","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3316)"},{"cve":"CVE-2023-43804","qid":"673581","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1096)"},{"cve":"CVE-2023-43804","qid":"673698","title":"EulerOS Security Update for python-pip (EulerOS-SA-2024-1295)"},{"cve":"CVE-2023-43804","qid":"673713","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3348)"},{"cve":"CVE-2023-43804","qid":"673753","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1296)"},{"cve":"CVE-2023-43804","qid":"673932","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3257)"},{"cve":"CVE-2023-43804","qid":"673939","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1072)"},{"cve":"CVE-2023-43804","qid":"674016","title":"EulerOS Security Update for python-urllib3 (EulerOS-SA-2023-3285)"},{"cve":"CVE-2023-43804","qid":"674032","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-3315)"},{"cve":"CVE-2023-43804","qid":"674084","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-3347)"},{"cve":"CVE-2023-43804","qid":"755079","title":"SUSE Enterprise Linux Security Update for python-urllib3 (SUSE-SU-2023:4064-1)"},{"cve":"CVE-2023-43804","qid":"755112","title":"SUSE Enterprise Linux Security Update for python-urllib3 (SUSE-SU-2023:4108-1)"},{"cve":"CVE-2023-43804","qid":"907548","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-urllib3 (31108-1)"},{"cve":"CVE-2023-43804","qid":"941505","title":"AlmaLinux Security Update for fence-agents (ALSA-2023:7753)"},{"cve":"CVE-2023-43804","qid":"941539","title":"AlmaLinux Security Update for fence-agents (ALSA-2024:0133)"},{"cve":"CVE-2023-43804","qid":"941542","title":"AlmaLinux Security Update for python-urllib3 (ALSA-2024:0116)"},{"cve":"CVE-2023-43804","qid":"941555","title":"AlmaLinux Security Update for python-urllib3 (ALSA-2024:0464)"},{"cve":"CVE-2023-43804","qid":"995496","title":"Python (Pip) Security Update for urllib3 (GHSA-v845-jxx5-vc9f)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-43804","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"urllib3","product":{"product_data":[{"product_name":"urllib3","version":{"version_data":[{"version_affected":"=","version_value":">= 2.0.0, < 2.0.6"},{"version_affected":"=","version_value":"< 1.26.17"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f","refsource":"MISC","name":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"},{"url":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb","refsource":"MISC","name":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"},{"url":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d","refsource":"MISC","name":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"}]},"source":{"advisory":"GHSA-v845-jxx5-vc9f","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-10-04 17:15:00","lastModifiedDate":"2024-02-01 00:55:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*","versionEndExcluding":"1.26.17","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}