6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
51.8%
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking
Proxy-Authorization headers to destination servers when redirected to an
HTTPS endpoint. This is a product of how we use rebuild_proxies
to
reattach the Proxy-Authorization
header to requests. For HTTP connections
sent through the tunnel, the proxy will identify the header in the request
itself and remove it prior to forwarding to the destination server. However
when sent over HTTPS, the Proxy-Authorization
header must be sent in the
CONNECT request as the proxy has no visibility into the tunneled request.
This results in Requests forwarding proxy credentials to the destination
server unintentionally, allowing a malicious actor to potentially
exfiltrate sensitive information. This issue has been patched in version
2.31.0.
Author | Note |
---|---|
mdeslaur | On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-pip | < 20.0.2-5ubuntu1.9 | UNKNOWN |
ubuntu | 22.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 14.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-pip | < any | UNKNOWN |
ubuntu | 18.04 | noarch | requests | < 2.18.4-2ubuntu0.1+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | requests | < 2.22.0-2ubuntu1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | requests | < 2.25.1+dfsg-2ubuntu0.1 | UNKNOWN |
ubuntu | 22.10 | noarch | requests | < 2.27.1+dfsg-1ubuntu2.1 | UNKNOWN |
ubuntu | 23.04 | noarch | requests | < 2.28.1+dfsg-1ubuntu1.1 | UNKNOWN |
github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
launchpad.net/bugs/cve/CVE-2023-32681
nvd.nist.gov/vuln/detail/CVE-2023-32681
security-tracker.debian.org/tracker/CVE-2023-32681
ubuntu.com/security/notices/USN-6155-1
ubuntu.com/security/notices/USN-6155-2
www.cve.org/CVERecord?id=CVE-2023-32681