Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906970 (CVE-2023-32681, GHSA-j8r2-6x86-q33q)

Summary: <dev-python/requests-2.31.0: Unintended leak of Proxy-Authorization header
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 906969    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 04:58:59 UTC 
+2.31.0 (2023-05-22)
+-------------------
+
+**Security**
+- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+  forwarding of `Proxy-Authorization` headers to destination servers when
+  following HTTPS redirects.
+
+  When proxies are defined with user info (https://user:pass@proxy:8080), Requests
+  will construct a `Proxy-Authorization` header that is attached to the request to
+  authenticate with the proxy.
+
+  In cases where Requests receives a redirect response, it previously reattached
+  the `Proxy-Authorization` header incorrectly, resulting in the value being
+  sent through the tunneled connection to the destination server. Users who rely on
+  defining their proxy credentials in the URL are *strongly* encouraged to upgrade
+  to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+  credentials once the change has been fully deployed.
+
+  Users who do not use a proxy or do not supply their proxy credentials through
+  the user information portion of their proxy URL are not subject to this
+  vulnerability.
+
+  Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
+  and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 13:37:43 UTC 
Cleanup done.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-31 04:49:48 UTC 
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2023-09-17 06:33:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=350089607fb03a112b8ef41490ac5428b2edf828

commit 350089607fb03a112b8ef41490ac5428b2edf828
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-17 06:32:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-17 06:33:22 +0000

    [ GLSA 202309-08 ] Requests: Information Leak
    
    Bug: https://bugs.gentoo.org/906970
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202309-08.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)