CVE-2024-37891

CWE-66914 documents9 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 51.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Urllib3 Urllib3 Python Urllib3 Debian Debian Linux

Timeline

PublishedJun 17

Latest updateJul 15

Description

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Pr…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.7 | Impact: 3.6

Affected Packages4 packages

▶NVDpython/urllib32.0.0 — 2.2.2+1

▶Debianpython-urllib3< 1.26.5-1~exp1+deb11u1+3

▶PyPIurllib32.0.0 — 2.2.2+1

▶CVEListV5urllib3/urllib3< 1.26.19+1

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3↗2024-06-17

▶

OSV

CVE-2024-37891: urllib3 is a user-friendly HTTP client library for Python↗2024-06-17

▶

GHSA

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects↗2024-06-17

▶

OSV

urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects↗2024-06-17

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Platform (urllib3) — CVE-2024-37891↗2025-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Configuration (urllib3) — CVE-2024-37891↗2025-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Billing Care (urllib3) — CVE-2024-37891↗2025-01-15

▶

Ubuntu

pip vulnerability↗2024-10-30

▶

Ubuntu

urllib3 vulnerability↗2024-10-29

▶