CVE-2023-32681

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5	Patch
https://github.com/psf/requests/releases/tag/v2.31.0	Release Notes
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
https://security.gentoo.org/glsa/202309-08

Configurations

Configuration 1 (hide)

cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-26 18:15

Updated : 2023-09-17 09:15

NVD link : CVE-2023-32681

Mitre link : CVE-2023-32681

CVE.ORG link : CVE-2023-32681

JSON object : View

Products Affected

fedoraproject

fedora

python

requests

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2023-32681", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.6}]}, "published": "2023-05-26T18:15:14.147", "references": [{"url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/psf/requests/releases/tag/v2.31.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", "tags": ["Mailing List", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202309-08", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n"}, {"lang": "es", "value": "Requests es una librer\u00eda HTTP. Desde Requests 2.3.0, Requests ha estado filtrando cabeceras Proxy-Authorization a los servidores de destino cuando se redirige a un endpoint HTTPS. Esto es producto de c\u00f3mo usamos `rebuild_proxies` para volver a adjuntar la cabecera `Proxy-Authorization` a las peticiones. Para conexiones HTTP enviadas a trav\u00e9s del t\u00fanel, el proxy identificar\u00e1 la cabecera en la propia petici\u00f3n y la eliminar\u00e1 antes de reenviarla al servidor de destino. Sin embargo, cuando se env\u00eda a trav\u00e9s de HTTPS, la cabecera `Proxy-Authorization` debe enviarse en la solicitud CONNECT, ya que el proxy no tiene visibilidad sobre la solicitud en t\u00fanel. Esto provoca que las solicitudes reenv\u00eden las credenciales del proxy al servidor de destino de forma no intencionada, lo que permite a un actor malicioso filtrar informaci\u00f3n confidencial. Este problema se ha corregido en la versi\u00f3n 2.31.0."}], "lastModified": "2023-09-17T09:15:12.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15530292-B507-496D-B36E-0CA89A7037C6", "versionEndExcluding": "2.31.0", "versionStartIncluding": "2.3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}