{"id":"PYSEC-2023-192","details":"urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.","aliases":["CVE-2023-43804","GHSA-v845-jxx5-vc9f"],"modified":"2023-11-08T04:13:33.452167Z","published":"2023-10-04T17:15:00Z","references":[{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"},{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"0"},{"fixed":"644124ecd0b6e417c527191f866daa05a5a2056d"},{"fixed":"01220354d389cd05474713f8c982d05c9b17aafb"}]},{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.6"},{"introduced":"0"},{"fixed":"1.26.17"}]}],"versions":["0.2","0.3","0.3.1","0.4.0","0.4.1","1.0","1.0.1","1.0.2","1.1","1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.11","1.12","1.13","1.13.1","1.14","1.15","1.15.1","1.16","1.17","1.18","1.18.1","1.19","1.19.1","1.2","1.2.1","1.2.2","1.20","1.21","1.21.1","1.22","1.23","1.24","1.24.1","1.24.2","1.24.3","1.25","1.25.1","1.25.10","1.25.11","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.25.9","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.2","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","1.3","1.4","1.5","1.6","1.7","1.7.1","1.8","1.8.2","1.8.3","1.9","1.9.1","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}