Christos-Spearbit

**Name of the Vulnerable Software and Affected Versions** urllib3 versions 1.23 through 2.6.x **Description** Sensitive headers, specifically `Authorization`, `Cookie`, and `Proxy-Authorization`, are forwarded during cross-origin redirects when using the low-level API via `ProxyManager.connection from url().urlopen(..., assert same host=False)`. While high-level APIs like `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()` strip these headers by default, the low-level flow fails to do so. **Recommendations** Upgrade to version 2.7.0 or later. Avoid using the low-level redirect flow for cross-origin redirects or switch to `ProxyManager.request()`.

**Name of the Vulnerable Software and Affected Versions** XZ Utils versions prior to 5.8.3 **Description** XZ Utils, a data-compression library and command-line tools, had a flaw where the `lzma index decoder()` function, when processing an Index without Records, could leave the `lzma index` in a state leading to insufficient memory allocation during a subsequent `lzma index append()` call. This resulted in a buffer overflow. The issue was addressed in version 5.8.3. **Recommendations** Update to version 5.8.3 or later.