Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability in bundled urllib3 (CVE-2023-43804) #12337

Closed
1 task done
frenzymadness opened this issue Oct 11, 2023 · 5 comments
Closed
1 task done

Security vulnerability in bundled urllib3 (CVE-2023-43804) #12337

frenzymadness opened this issue Oct 11, 2023 · 5 comments
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior

Comments

@frenzymadness
Copy link
Contributor

Description

In the current version of bundled urllib3 (1.26.16), there is a security vulnerability CVE-2023-43804 - https://nvd.nist.gov/vuln/detail/CVE-2023-43804:

urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

From my point of view, there is no way to exploit that vulnerability via pip. pip does not allow users to specify cookies when sending requests to custom indexes.

I also tried to implement HTTP server that sends cookies to the user (HTTP header Set-Cookie) and then redirects the user to a different URL to see whether it can leak the content of the cookie when this server is used as an index for pip. It seems it doesn't work and the cookie received in the first response from the server is not sent back in the second request to the different URL by pip.

Bundled urrlib3 will be updated sooner or later. I just want to asses the possible risk users of pip with vulnerable bundled urllib3 might face.

Expected behavior

No response

pip version

23.2.1

Python version

3.11

OS

Fedora Linux

How to Reproduce

There is nothing to reproduce.

Output

No response

Code of Conduct
@frenzymadness frenzymadness added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Oct 11, 2023
@uranusjr
Copy link
Member

I don’t think there’s any way a user can supply a custom header so the vulnarability does not seem relevant at all.

@frenzymadness
Copy link
Contributor Author

Thank you @uranusjr ! I ended up with the same conclusion. For the aforementioned reasons, there is no need to hurry up with updating bundled urllib3 and therefore this issue can be closed, if you don't plan to investigate it further.

@uranusjr
Copy link
Member

Has urllib3 released a version with a fix? If it does, it’s still in time for 23.3 due this month.

@frenzymadness
Copy link
Contributor Author

Has urllib3 released a version with a fix? If it does, it’s still in time for 23.3 due this month.

Yes, v1.26.17 and v2.0.6 are fixed.

@uranusjr uranusjr mentioned this issue Oct 12, 2023
Closed
@uranusjr
Copy link
Member

Nice. Merging this into the release issue then.

@uranusjr uranusjr closed this as not planned Won't fix, can't repro, duplicate, stale Oct 12, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uranusjr @frenzymadness