6.1

CVE-2023-32681

EPSS 6.28%
Published 26.05.2023 18:15:14
Last modified 13.02.2025 17:16:32
Source security-advisories@github.com
Teams watchlist Login
Open Login

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Requests Version >= 2.3.0 < 2.31.0

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	6.28%	0.905

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	1.6	4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
security-advisories@github.com	6.1	1.6	4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5

Patch

https://github.com/psf/requests/releases/tag/v2.31.0

Release Notes

https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/

https://security.gentoo.org/glsa/202309-08

https://nvd.nist.gov/vuln/detail/CVE-2023-32681

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32681

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32681

EUVD