CVE-2023-43804

Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 1.26.17 urllib3 versions prior to 2.0.5

Description The issue is related to the handling of the Cookie HTTP header in urllib3, a user-friendly HTTP client library for Python. If a user specifies a Cookie header and does not disable redirects explicitly, it is possible to leak information via HTTP redirects to a different origin. The number of usages affected by this advisory is believed to be low, requiring specific conditions to be met, including the use of an affected version of urllib3, the Cookie header on requests, not disabling HTTP redirects, and either not using HTTPS or the origin server redirecting to a malicious origin.

Recommendations For versions prior to 1.26.17, upgrade to at least urllib3 version 1.26.17. For versions prior to 2.0.5, upgrade to at least urllib3 version 2.0.5. As a temporary workaround, consider disabling HTTP redirects using redirects=False when sending requests. Avoid using the Cookie header on requests unless necessary, and ensure that redirects are properly handled to prevent information leakage.