CVE: CVE-2024-37891
Vulnerable Library: urllib3
Python Package: urllib3, a user-friendly HTTP client library for Python.
Publish Date: June 17, 2024
CVSS 3.0 Base Score: 5.5 (Moderate)
Vulnerability Description:
urllib3 is a widely used HTTP client library for Python. When using urllib3's proxy support via ProxyManager, the Proxy-Authorization header is only sent to the configured proxy. However, when making HTTP requests without using urllib3's proxy support, it is possible to accidentally configure the Proxy-Authorization header, even though no forwarding or tunneling proxy is being used. In this case, urllib3 does not treat the Proxy-Authorization header as sensitive and fails to strip it during cross-origin redirects.
Although this is an uncommon use case, it poses a risk in scenarios where cross-origin redirects may expose the header to malicious endpoints. To mitigate this, urllib3 has updated its handling to automatically strip the Proxy-Authorization header during such redirects, providing additional protection.
Users affected by this vulnerability are advised to update to versions 1.26.19 or 2.2.2 of urllib3, where the issue has been resolved. As an alternative mitigation, users can disable HTTP redirects by setting redirects=False when making requests or ensure they are using ProxyManager for handling proxies correctly.
Vulnerability Overview
CVE: CVE-2024-37891 Vulnerable Library: urllib3 Python Package: urllib3, a user-friendly HTTP client library for Python. Publish Date: June 17, 2024 CVSS 3.0 Base Score: 5.5 (Moderate)
Vulnerability Description: urllib3 is a widely used HTTP client library for Python. When using urllib3's proxy support via ProxyManager, the Proxy-Authorization header is only sent to the configured proxy. However, when making HTTP requests without using urllib3's proxy support, it is possible to accidentally configure the Proxy-Authorization header, even though no forwarding or tunneling proxy is being used. In this case, urllib3 does not treat the Proxy-Authorization header as sensitive and fails to strip it during cross-origin redirects.
Although this is an uncommon use case, it poses a risk in scenarios where cross-origin redirects may expose the header to malicious endpoints. To mitigate this, urllib3 has updated its handling to automatically strip the Proxy-Authorization header during such redirects, providing additional protection.
Users affected by this vulnerability are advised to update to versions
1.26.19 or 2.2.2 of urllib3
, where the issue has been resolved. As an alternative mitigation, users can disable HTTP redirects by setting redirects=False when making requests or ensure they are using ProxyManager for handling proxies correctly.Is there a plan to fix VA?