Bugzilla – Bug 1211674
VUL-0: CVE-2023-32681: python-requests,python36-requests,python3-requests: Unintended leak of Proxy-Authorization header
Last modified: 2024-06-13 15:51:21 UTC
CVE-2023-32681 Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of `Proxy-Authorization` headers to destination servers when following HTTPS redirects. When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a `Proxy-Authorization` header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the `Proxy-Authorization` header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are *strongly* encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32681 https://bugzilla.redhat.com/show_bug.cgi?id=2209469
Affected: - SUSE:SLE-12-SP1:Update/python-requests 2.24.0 - SUSE:SLE-12-SP2:Update/python3-requests 2.24.0 - SUSE:SLE-12:Update/python-requests 2.11.1 - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36-requests 2.24.0 - SUSE:SLE-15-SP1:Update/python-requests 2.24.0 - SUSE:SLE-15-SP3:Update/python-requests 2.24.0 - SUSE:SLE-15:Update/python-requests 2.18.4 - openSUSE:Factory/python-requests 2.30.0 Affected, but cvss < 7, so wontfix: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-requests 2.24.0 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-requests 2.20.1 Affected, but unsupported, so wontfix: - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/python-requests 2.11.1 Not Affected: - SUSE:SLE-11-SP1:Update:Teradata/python27-requests 2.0.1 - SUSE:SLE-11-SP3:Update/python-requests 2.0.1
This is an autogenerated message for OBS integration: This bug (1211674) was mentioned in https://build.opensuse.org/request/show/1092607 Factory / python-requests
SUSE-SU-2023:2866-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1211674 CVE References: CVE-2023-32681 Sources used: Basesystem Module 15-SP5 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Real Time 15 SP3 (src): python-requests-2.24.0-150300.3.3.1 SUSE Manager Proxy 4.2 (src): python-requests-2.24.0-150300.3.3.1 SUSE Manager Retail Branch Server 4.2 (src): python-requests-2.24.0-150300.3.3.1 SUSE Manager Server 4.2 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro 5.1 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro 5.2 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-requests-2.24.0-150300.3.3.1 openSUSE Leap Micro 5.3 (src): python-requests-2.24.0-150300.3.3.1 openSUSE Leap 15.4 (src): python-requests-2.24.0-150300.3.3.1 openSUSE Leap 15.5 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro 5.3 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-requests-2.24.0-150300.3.3.1 SUSE Linux Enterprise Micro 5.4 (src): python-requests-2.24.0-150300.3.3.1 Basesystem Module 15-SP4 (src): python-requests-2.24.0-150300.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2865-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1211674 CVE References: CVE-2023-32681 Sources used: Advanced Systems Management Module 12 (src): python-requests-2.11.1-6.34.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): python-requests-2.11.1-6.34.1 SUSE Linux Enterprise High Availability Extension 12 SP4 (src): python-requests-2.11.1-6.34.1 SUSE Manager Client Tools for SLE 12 (src): python-requests-2.11.1-6.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed, an update that solves one vulnerability can now be installed.
SUSE-SU-2023:3094-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1211674 CVE References: CVE-2023-32681 Sources used: Public Cloud Module 15-SP1 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-requests-2.25.1-150100.6.16.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-requests-2.25.1-150100.6.16.1 SUSE Enterprise Storage 7 (src): python-requests-2.25.1-150100.6.16.1 SUSE CaaS Platform 4.0 (src): python-requests-2.25.1-150100.6.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2638-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1211674 CVE References: CVE-2023-32681 Sources used: Public Cloud Module 12 (src): python-requests-2.24.0-8.14.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-requests-2.24.0-8.14.1 SUSE Linux Enterprise Server 12 SP5 (src): python-requests-2.24.0-8.14.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-requests-2.24.0-8.14.1 SUSE Linux Enterprise High Availability Extension 12 SP5 (src): python-requests-2.24.0-8.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2883-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1211674 CVE References: CVE-2023-32681 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python3-requests-2.24.0-8.17.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python3-requests-2.24.0-8.17.1 SUSE Linux Enterprise Server 12 SP5 (src): python3-requests-2.24.0-8.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python3-requests-2.24.0-8.17.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python3-requests-2.24.0-8.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.