Bug 1216377 (CVE-2023-45803)

Summary: VUL-0: CVE-2023-45803: python-urllib3,python36-urllib3: Request body not stripped after redirect from 303 status changes request method to GET
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: daniel.garcia, gabriele.sonnu, gianluca.gabrielli, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382169/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45803:4.2:(AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-18 12:50:47 UTC 
urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 "See Other" after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.

From RFC 9110 Section 9.3.1:

>  A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.

Affected usages

Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.

Both of the following conditions must be true to be affected by this vulnerability:

  - If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)
  - The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.

Remediation

You can remediate this vulnerability with any of the following steps:

  * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)
  * Disable redirects for services that you aren't expecting to respond with redirects with redirects=False.
  * Disable automatic redirects with redirects=False and handle 303 redirects manually by stripping the HTTP request body.

References:

https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
Comment 1 Gabriele Sonnu 2023-10-18 12:54:57 UTC 
All codestreams tracked as affected.

Upstream advisory:

https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4

Upstream fix:

https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
Comment 2 Daniel Garcia 2023-10-18 14:48:15 UTC 
Codestream to update:

openSUSE:Factory
openSUSE:Factory (python-urllib3_1)
SUSE:ALP:Source:Standard:1.0
SUSE:ALP:Source:Standard:1.0 (python-urllib3_1)
SUSE:SLE-12-SP1:Update                                  1.25.10
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update           1.25.10
SUSE:SLE-12-SP3:Update:Products:Teradata:Update         1.22
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update           1.23
SUSE:SLE-15-SP1:Update                                  1.25.10
SUSE:SLE-15-SP3:Update                                  1.25.10
SUSE:Maintenance:30661 (PSP)                            2.0.6

I've just created the requests for Factory and ALP.
Comment 4 OBSbugzilla Bot 2023-10-18 15:15:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216377) was mentioned in
https://build.opensuse.org/request/show/1118603 Factory / python-urllib3
https://build.opensuse.org/request/show/1118605 Factory / python-urllib3_1
Comment 7 Maintenance Automation 2023-11-02 20:30:06 UTC 
SUSE-SU-2023:4352-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1215968, 1216275, 1216377
CVE References: CVE-2018-25091, CVE-2023-43804, CVE-2023-45803
Sources used:
SUSE OpenStack Cloud 9 (src): python-urllib3-1.23-3.25.1
SUSE OpenStack Cloud Crowbar 9 (src): python-urllib3-1.23-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-11-03 12:30:03 UTC 
SUSE-SU-2023:4356-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216377
CVE References: CVE-2023-45803
Sources used:
SUSE OpenStack Cloud 8 (src): python-urllib3-1.25.10-5.25.1
SUSE OpenStack Cloud Crowbar 8 (src): python-urllib3-1.25.10-5.25.1
HPE Helion OpenStack 8 (src): python-urllib3-1.25.10-5.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-16 20:30:16 UTC 
SUSE-SU-2023:4468-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216377
CVE References: CVE-2023-45803
Sources used:
Public Cloud Module 12 (src): python-urllib3-1.25.10-3.37.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python-urllib3-1.25.10-3.37.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-urllib3-1.25.10-3.37.1
SUSE Linux Enterprise Server 12 SP5 (src): python-urllib3-1.25.10-3.37.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-urllib3-1.25.10-3.37.1
SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-urllib3-1.25.10-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-11-16 20:30:18 UTC 
SUSE-SU-2023:4467-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216377
CVE References: CVE-2023-45803
Sources used:
openSUSE Leap 15.3 (src): python-urllib3-1.25.10-150300.4.9.1, python-urllib3-test-1.25.10-150300.4.9.1
openSUSE Leap Micro 5.3 (src): python-urllib3-1.25.10-150300.4.9.1
openSUSE Leap Micro 5.4 (src): python-urllib3-1.25.10-150300.4.9.1
openSUSE Leap 15.4 (src): python-urllib3-1.25.10-150300.4.9.1
openSUSE Leap 15.5 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro 5.3 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro 5.4 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro 5.5 (src): python-urllib3-1.25.10-150300.4.9.1
Basesystem Module 15-SP4 (src): python-urllib3-1.25.10-150300.4.9.1
Basesystem Module 15-SP5 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Manager Proxy 4.2 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Manager Retail Branch Server 4.2 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Manager Server 4.2 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro 5.1 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro 5.2 (src): python-urllib3-1.25.10-150300.4.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-urllib3-1.25.10-150300.4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Marcus Meissner 2024-04-15 15:09:06 UTC 
released
Comment 21 Maintenance Automation 2024-07-12 16:31:41 UTC 
SUSE-SU-2024:2462-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1216377
CVE References: CVE-2023-45803
Maintenance Incident: [SUSE:Maintenance:31279](https://smelt.suse.de/incident/31279/)
Sources used:
SUSE Linux Enterprise Micro 5.5 (src):
 python-urllib3-1.25.10-150300.4.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.