CVE-2023-32681

Publication date 26 May 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.1 · Medium

Score breakdown

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-pip 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar Ignored end of life, was needed
22.10 kinetic Ignored end of life, was needs-triage
22.04 LTS jammy
Vulnerable
20.04 LTS focal
Fixed 20.0.2-5ubuntu1.9
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation
14.04 LTS trusty Ignored end of ESM support, was needs-triage
requests 24.10 oracular
Fixed 2.28.1+dfsg-1ubuntu2
24.04 LTS noble
Fixed 2.28.1+dfsg-1ubuntu2
23.10 mantic
Fixed 2.28.1+dfsg-1ubuntu2
23.04 lunar
Fixed 2.28.1+dfsg-1ubuntu1.1
22.10 kinetic
Fixed 2.27.1+dfsg-1ubuntu2.1
22.04 LTS jammy
Fixed 2.25.1+dfsg-2ubuntu0.1
20.04 LTS focal
Fixed 2.22.0-2ubuntu1.1
18.04 LTS bionic
16.04 LTS xenial
14.04 LTS trusty Ignored end of ESM support, was needs-triage

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes


mdeslaur

On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
requests

Severity score breakdown

Parameter Value
Base score 6.1 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Changed
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references