| Package | python-urllib3 |
|---|---|
| Version | 1.9.1-3+deb8u2 (jessie), 1.19.1-1+deb9u2 (stretch) |
| Related CVEs | CVE-2018-20060 CVE-2018-25091 CVE-2023-43804 CVE-2023-45803 |
Multiple vulnerabilities were found in python-urllib3, a user-friendly HTTP library for Python.
CVE-2018-20060
It was discovered that the Authorization HTTP header was not removed when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This could allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2018-25091
Yoshida Katsuhiko discovered that the fix for CVE-2018-20060 did not cover non-titlecase request headers; for instance “authorization” request headers were not removed during cross-origin redirects. (Per RFC7230 sec. 3.2 header fields are to be treated case-insensitively.)
CVE-2023-43804
It was discovered that the Cookie request header was not stripped during cross-origin redirects. It is therefore possible for a user specifying a Cookie header to unknowingly leak information via HTTP redirects to a different origin, unless the user disables redirects explicitly. The issue is similar to CVE-2018-20060, but for the Cookie request header rather than Authorization.
CVE-2023-45803
It was discovered that the HTTP request body was not removed when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body, like POST, to GET, as required by the HTTP RFCs. This could lead to information disclosure.
For Debian 8 jessie, these problems have been fixed in version 1.9.1-3+deb8u2.
For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u2.
We recommend that you upgrade your python-urllib3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.