CVE-2023-45803

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
4.2 MEDIUM
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
pythonurllib3
𝑥
< 1.26.18
pythonurllib3
2.0.0 ≤
𝑥
< 2.0.7
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
urllib3urllib3
𝑥
< 1.26.18
CNA
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
1.26.5-1~exp1+deb11u1
fixed
sid
2.2.3-4
fixed
trixie
2.2.3-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pip
bionic
Fixed 9.0.1-2.3~ubuntu1.18.04.8+esm2
released
focal
Fixed 20.0.2-5ubuntu1.10
released
jammy
Fixed 22.0.2+dfsg-1ubuntu0.4
released
lunar
Fixed 23.0.1+dfsg-1ubuntu0.2
released
mantic
Fixed 23.2+dfsg-1ubuntu0.1
released
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
Fixed 8.1.1-2ubuntu0.6+esm6
released
python-urllib3
bionic
Fixed 1.22-1ubuntu0.18.04.2+esm1
released
focal
Fixed 1.25.8-2ubuntu0.3
released
jammy
Fixed 1.26.5-1~exp1ubuntu0.1
released
lunar
Fixed 1.26.12-1ubuntu0.1
released
mantic
Fixed 1.26.16-1ubuntu0.1
released
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
Fixed 1.13.1-2ubuntu0.16.04.4+esm1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python-urllib3
suse enterprise sap 12
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP3
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP4
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP5
1.25.10-3.37.1
fixed
suse enterprise server 12
1.25.10-3.37.1
fixed
suse enterprise server 12 SP3
1.22-7.19.1
fixed
suse enterprise server 12 SP4
1.25.10-3.37.1
fixed
suse enterprise server 12 SP5
1.25.10-3.37.1
fixed
python3-urllib3
suse enterprise sap 12
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP3
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP4
1.25.10-3.37.1
fixed
suse enterprise sap 12 SP5
1.25.10-3.37.1
fixed
suse enterprise server 12
1.25.10-3.37.1
fixed
suse enterprise server 12 SP3
1.25.10-3.37.1
fixed
suse enterprise server 12 SP4
1.25.10-3.37.1
fixed
suse enterprise server 12 SP5
1.25.10-3.37.1
fixed
python311-urllib3
suse enterprise desktop 15 SP6
2.0.7-150400.7.11.1
fixed
suse enterprise sap 15 SP6
2.0.7-150400.7.11.1
fixed
suse enterprise server 15 SP6
2.0.7-150400.7.11.1
fixed
python311-urllib3_1
suse enterprise desktop 15 SP6
1.26.18-150600.1.4
fixed
suse enterprise sap 15 SP6
1.26.18-150600.1.4
fixed
suse enterprise server 15 SP6
1.26.18-150600.1.4
fixed
python36-urllib3
suse enterprise server 12 SP3
1.25.10-6.6.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
fence-agents-aliyun
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-all
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-amt-ws
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-apc
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-apc-snmp
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-aws
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-azure-arm
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-bladecenter
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-brocade
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-cisco-mds
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-cisco-ucs
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-common
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-compute
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-drac5
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-eaton-snmp
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-emerson
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-eps
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-gce
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-heuristics-ping
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-hpblade
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ibm-powervs
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ibm-vpc
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ibmblade
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ifmib
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ilo-moonshot
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ilo-mp
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ilo-ssh
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ilo2
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-intelmodular
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ipdu
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-ipmilan
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-kdump
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-kubevirt
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-lpar
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-mpath
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-openstack
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-redfish
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-rhevm
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-rsa
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-rsb
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-sbd
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-scsi
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-virsh
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-vmware-rest
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-vmware-soap
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-wti
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-agents-zvm
RHEL 8
0:4.2.1-129.el8
fixed
RHEL 9
0:4.10.0-62.el9
fixed
fence-virt
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd-cpg
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd-libvirt
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd-multicast
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd-serial
RHEL 9
0:4.10.0-62.el9
fixed
fence-virtd-tcp
RHEL 9
0:4.10.0-62.el9
fixed
ha-cloud-support
RHEL 9
0:4.10.0-62.el9
fixed
python3-urllib3
RHEL 9
0:1.26.5-3.el9_3.1
fixed
python3.11-urllib3
RHEL 9
0:1.26.12-2.el9_5.2
fixed
resource-agents
RHEL 8
0:4.9.0-54.el8
fixed
resource-agents-aliyun
RHEL 8
0:4.9.0-54.el8
fixed
resource-agents-gcp
RHEL 8
0:4.9.0-54.el8
fixed
resource-agents-paf
RHEL 8
0:4.9.0-54.el8
fixed
Common Weakness Enumeration
References
https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
https://www.rfc-editor.org/rfc/rfc9110.html#name-get
https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
https://www.rfc-editor.org/rfc/rfc9110.html#name-get