CVE-2023-45803

Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 1.26.18 urllib3 versions prior to 2.0.7

Description The issue is related to the urllib3 library, a user-friendly HTTP client for Python, which previously did not remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 occurred after the request had its method changed from one that could accept a request body to GET. This behavior, although not specified in the section for redirects, can be inferred from other sections of HTTP RFCs and is observed in other major HTTP client implementations like curl and web browsers. The vulnerability requires a previously trusted service to become compromised to have an impact on confidentiality, and its exploitability is considered low. Additionally, many users do not put sensitive data in HTTP request bodies, making the vulnerability not exploitable in such cases. Two conditions must be true to be affected: using urllib3 and submitting sensitive information in the HTTP request body, and the origin service being compromised and starting to redirect using 301, 302, or 303 to a malicious peer or the redirected-to service becoming compromised.

Recommendations Update to version 1.26.18 or later to resolve the issue. Update to version 2.0.7 or later to resolve the issue. For users unable to update, disable redirects for services that aren't expecting to respond with redirects by setting redirects=False, and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.