{"id":"CVE-2023-43804","summary":"`Cookie` HTTP header isn't stripped on cross-origin redirects","details":"urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.","aliases":["GHSA-v845-jxx5-vc9f","PYSEC-2023-192"],"modified":"2026-04-10T05:03:57.018391Z","published":"2023-10-04T16:01:50.447Z","related":["ALSA-2023:7753","ALSA-2024:0116","ALSA-2024:0133","ALSA-2024:0464","ALSA-2024:2159","ALSA-2024:2985","ALSA-2024:2986","ALSA-2024:2987","CGA-vgg3-gvpc-fvqw","SUSE-SU-2023:4064-1","SUSE-SU-2023:4108-1","SUSE-SU-2023:4157-1","SUSE-SU-2023:4352-1","openSUSE-SU-2024:13301-1","openSUSE-SU-2024:13302-1"],"database_specific":{"cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43804.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43804.json"},{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43804"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241213-0007/"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"6446fef0cf432ca035169602a1447a0d8ef53e80"},{"fixed":"262e3e332209ee93ff70e2b13502c8f20c105ac8"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.0.6"}]}},{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"0"},{"fixed":"c9016bf464751a02b7e46f8b86504f47d4238784"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.26.17"}]}}],"versions":["0.3","0.3.1","0.4","0.4.1","1.1","1.2","1.2.1","1.25","1.25.1","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.2","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","1.3","1.4","1.5","1.6","1.7","1.7.1","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","v2.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"}]}