{"schema_version":"1.7.2","id":"OESA-2024-1945","modified":"2024-08-02T11:08:44Z","published":"2024-08-02T11:08:44Z","upstream":["CVE-2024-37891"],"summary":"python-urllib3 security update","details":"Sanity-friendly HTTP client for Python\r\n\r\nSecurity Fix(es):\r\n\r\n urllib3 is a user-friendly HTTP client library for Python. When using urllib3\u0026apos;s proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3\u0026apos;s proxy support, it\u0026apos;s possible to accidentally configure the `Proxy-Authorization` header even though it won\u0026apos;t have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn\u0026apos;t treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn\u0026apos;t strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3\u0026apos;s proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren\u0026apos;t using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3\u0026apos;s built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3\u0026apos;s `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"python-urllib3","purl":"pkg:rpm/openEuler/python-urllib3\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.12-7.oe2203sp1"}]}],"ecosystem_specific":{"noarch":["python3-urllib3-1.26.12-7.oe2203sp1.noarch.rpm"],"src":["python-urllib3-1.26.12-7.oe2203sp1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1945"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37891"}],"database_specific":{"severity":"Medium"}}