6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.2 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.8%
The Python requests package, which allows user to send HTTP requests using Python, is used by IBM Cinder plug-in. requests package is impacted by vulnerability CVE-2023-32681.
CVEID:CVE-2023-32681
**DESCRIPTION:**python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. By persuading a victim to click on a specially crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
Cinder Plug-in | All |
Update Python to version >= 3.7
Update requests library to version >= 2.31.0
Please note:
The plugin will still work on Python < 3.7, but it is necessary to update to fix this vulnerability, as the fixed version of requests library is not supported on Python < 3.7
IBM Cinder SVf driver has been tested using non-vulnerable version of requests library
None
CPE | Name | Operator | Version |
---|---|---|---|
cinder plug-in | eq | any |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.2 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.8%