Bugzilla – Bug 1216377
VUL-0: CVE-2023-45803: python-urllib3,python36-urllib3: Request body not stripped after redirect from 303 status changes request method to GET
Last modified: 2024-07-12 16:31:41 UTC
urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 "See Other" after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. From RFC 9110 Section 9.3.1: > A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. Affected usages Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: - If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) - The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised. Remediation You can remediate this vulnerability with any of the following steps: * Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7) * Disable redirects for services that you aren't expecting to respond with redirects with redirects=False. * Disable automatic redirects with redirects=False and handle 303 redirects manually by stripping the HTTP request body. References: https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
All codestreams tracked as affected. Upstream advisory: https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
Codestream to update: openSUSE:Factory openSUSE:Factory (python-urllib3_1) SUSE:ALP:Source:Standard:1.0 SUSE:ALP:Source:Standard:1.0 (python-urllib3_1) SUSE:SLE-12-SP1:Update 1.25.10 SUSE:SLE-12-SP3:Update:Products:Cloud8:Update 1.25.10 SUSE:SLE-12-SP3:Update:Products:Teradata:Update 1.22 SUSE:SLE-12-SP4:Update:Products:Cloud9:Update 1.23 SUSE:SLE-15-SP1:Update 1.25.10 SUSE:SLE-15-SP3:Update 1.25.10 SUSE:Maintenance:30661 (PSP) 2.0.6 I've just created the requests for Factory and ALP.
This is an autogenerated message for OBS integration: This bug (1216377) was mentioned in https://build.opensuse.org/request/show/1118603 Factory / python-urllib3 https://build.opensuse.org/request/show/1118605 Factory / python-urllib3_1
SUSE-SU-2023:4352-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1215968, 1216275, 1216377 CVE References: CVE-2018-25091, CVE-2023-43804, CVE-2023-45803 Sources used: SUSE OpenStack Cloud 9 (src): python-urllib3-1.23-3.25.1 SUSE OpenStack Cloud Crowbar 9 (src): python-urllib3-1.23-3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4356-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216377 CVE References: CVE-2023-45803 Sources used: SUSE OpenStack Cloud 8 (src): python-urllib3-1.25.10-5.25.1 SUSE OpenStack Cloud Crowbar 8 (src): python-urllib3-1.25.10-5.25.1 HPE Helion OpenStack 8 (src): python-urllib3-1.25.10-5.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4468-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216377 CVE References: CVE-2023-45803 Sources used: Public Cloud Module 12 (src): python-urllib3-1.25.10-3.37.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python-urllib3-1.25.10-3.37.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-urllib3-1.25.10-3.37.1 SUSE Linux Enterprise Server 12 SP5 (src): python-urllib3-1.25.10-3.37.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-urllib3-1.25.10-3.37.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-urllib3-1.25.10-3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4467-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216377 CVE References: CVE-2023-45803 Sources used: openSUSE Leap 15.3 (src): python-urllib3-1.25.10-150300.4.9.1, python-urllib3-test-1.25.10-150300.4.9.1 openSUSE Leap Micro 5.3 (src): python-urllib3-1.25.10-150300.4.9.1 openSUSE Leap Micro 5.4 (src): python-urllib3-1.25.10-150300.4.9.1 openSUSE Leap 15.4 (src): python-urllib3-1.25.10-150300.4.9.1 openSUSE Leap 15.5 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro 5.3 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro 5.4 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro 5.5 (src): python-urllib3-1.25.10-150300.4.9.1 Basesystem Module 15-SP4 (src): python-urllib3-1.25.10-150300.4.9.1 Basesystem Module 15-SP5 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Manager Proxy 4.2 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Manager Retail Branch Server 4.2 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Manager Server 4.2 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro 5.1 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro 5.2 (src): python-urllib3-1.25.10-150300.4.9.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-urllib3-1.25.10-150300.4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released
SUSE-SU-2024:2462-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1216377 CVE References: CVE-2023-45803 Maintenance Incident: [SUSE:Maintenance:31279](https://smelt.suse.de/incident/31279/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): python-urllib3-1.25.10-150300.4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.