CVE-2023-43804

Name
CVE-2023-43804
Description
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
MISC https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
MISC https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
MISC https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:* urllib3 >= 2.0.0 < 2.0.6
cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:* urllib3 >= None < 1.26.17

Vulnerable and fixed packages

Source package Branch Version Maintainer Status