Security Bulletin: IBM Cinder plug-in is affected by a vulnerability in the Python requests-2.28.2-py3-none-any.whl [CVE-2023-32681]

Summary

The Python requests package, which allows user to send HTTP requests using Python, is used by IBM Cinder plug-in. requests package is impacted by vulnerability CVE-2023-32681.

Vulnerability Details

CVEID:CVE-2023-32681
**DESCRIPTION:**python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. By persuading a victim to click on a specially crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Update Python to version >= 3.7
Update requests library to version >= 2.31.0

Please note:
The plugin will still work on Python < 3.7, but it is necessary to update to fix this vulnerability, as the fixed version of requests library is not supported on Python < 3.7
IBM Cinder SVf driver has been tested using non-vulnerable version of requests library

Workarounds and Mitigations

None