urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.
Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the Proxy-Authorization header during cross-origin redirects when ProxyManager is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.
Overview
urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.
Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the Proxy-Authorization header during cross-origin redirects when ProxyManager is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.
https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250
Workarounds
Using the Proxy-Authorization header with urllib3's ProxyManager.
Disabling HTTP redirects using redirects=False when sending requests.
Not using the Proxy-Authorization header.
Introduced through:
urllib3@1.26.18
Remediation:
upgrade urllib3@1.26.19
Completion criteria: