CVE-2024-37891

Name of the Vulnerable Software and Affected Versions: urllib3 versions prior to 1.26.19 urllib3 versions prior to 2.2.2

Description: The issue is related to the handling of the Proxy-Authorization header in urllib3, a Python HTTP client library. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header, which won't have any effect but can still be sent on cross-origin redirects. This can potentially allow a remote attacker to obtain sensitive information. The severity of this issue is considered low for almost all users, as it requires specific conditions to be exploited: setting the Proxy-Authorization header without using urllib3's built-in proxy support, not disabling HTTP redirects, and either not using an HTTPS origin server or redirecting to a malicious origin.

Recommendations: Update to version 1.26.19 or version 2.2.2 to resolve the issue. For versions prior to 1.26.19, use the Proxy-Authorization header with urllib3's ProxyManager as a mitigation. For versions prior to 2.2.2, disable HTTP redirects using redirects=False when sending requests as a mitigation. Alternatively, do not use the Proxy-Authorization header as a mitigation for versions prior to 1.26.19 and 2.2.2.