CVE-2023-32681

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
GitHub_MCNA
6.1 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
pythonrequests
2.3.0 ≤
𝑥
< 2.31.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
requests
bullseye
no-dsa
bookworm
no-dsa
sid
2.32.3+dfsg-1
fixed
trixie
2.32.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pip
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
ignored
kinetic
ignored
jammy
needed
focal
Fixed 20.0.2-5ubuntu1.9
released
bionic
needs-triage
xenial
needs-triage
trusty
ignored
requests
oracular
Fixed 2.28.1+dfsg-1ubuntu2
released
noble
Fixed 2.28.1+dfsg-1ubuntu2
released
mantic
Fixed 2.28.1+dfsg-1ubuntu2
released
lunar
Fixed 2.28.1+dfsg-1ubuntu1.1
released
kinetic
Fixed 2.27.1+dfsg-1ubuntu2.1
released
jammy
Fixed 2.25.1+dfsg-2ubuntu0.1
released
focal
Fixed 2.22.0-2ubuntu1.1
released
bionic
Fixed 2.18.4-2ubuntu0.1+esm1
released
xenial
Fixed 2.9.1-3ubuntu0.1+esm1
released
trusty
ignored
Common Weakness Enumeration
References
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
https://github.com/psf/requests/releases/tag/v2.31.0
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
https://security.gentoo.org/glsa/202309-08
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
https://github.com/psf/requests/releases/tag/v2.31.0
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
https://security.gentoo.org/glsa/202309-08