CVE-2023-43804

CVE-2023-43804

Name

CVE-2023-43804

Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
MISC	https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
MISC	https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
MISC	https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20241213-0007/
af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html

Type

URI

MISC

https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d

MISC

https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f

MISC

https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb

MISC

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20241213-0007/

af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:python:urllib3::::::::`	urllib3	>= 2.0.0	< 2.0.6
`cpe:2.3:a:python:urllib3::::::::`	urllib3	>= None	< 1.26.17

CPE URI

Source package

Min version

Max version

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

urllib3

>= 2.0.0

< 2.0.6

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

urllib3

>= None

< 1.26.17

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-urllib3	edge-main	1.26.17-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
py3-urllib3	3.22-main	1.26.17-r0	None	fixed
py3-urllib3	3.21-main	1.26.17-r0	None	fixed
py3-urllib3	3.20-main	1.26.17-r0	None	fixed
py3-urllib3	3.19-main	1.26.17-r0	None	fixed
py3-urllib3	3.18-main	1.26.17-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
py3-urllib3	3.17-main	1.26.17-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

py3-urllib3

edge-main

1.26.17-r0

Francesco Colista <fcolista@alpinelinux.org>

fixed

py3-urllib3

3.22-main