INFSA-2024:2986: python3.11-urllib3 security update
Information about definition
Identificator: INFSA-2024:2986
Type: security
Release date: 2024-08-23 19:56:28 UTC
Information about package
The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.
Vulnerabilities description
- CVE-2023-43804
urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2023-43804
|
no information | 5.9 | no information |
Updated packages