Skip to content

`Cookie` HTTP header isn't stripped on cross-origin redirects

Moderate severity GitHub Reviewed Published Oct 2, 2023 in urllib3/urllib3 • Updated Nov 4, 2023

Package

pip urllib3 (pip)

Affected versions

>= 2.0.0, < 2.0.6
< 1.26.17

Patched versions

2.0.6
1.26.17

Description

urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.

Users must handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the Cookie header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.

Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

  • Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)
  • Using the Cookie header on requests, which is mostly typical for impersonating a browser.
  • Not disabling HTTP redirects
  • Either not using HTTPS or for the origin server to redirect to a malicious origin.

Remediation

  • Upgrading to at least urllib3 v1.26.17 or v2.0.6
  • Disabling HTTP redirects using redirects=False when sending requests.
  • Not using the Cookie header.

References

@sethmlarson sethmlarson published to urllib3/urllib3 Oct 2, 2023
Published to the GitHub Advisory Database Oct 2, 2023
Reviewed Oct 2, 2023
Published by the National Vulnerability Database Oct 4, 2023
Last updated Nov 4, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS score

0.114%
(46th percentile)

Weaknesses

CVE ID

CVE-2023-43804

GHSA ID

GHSA-v845-jxx5-vc9f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.