CVE-2023-32681
Publication date 26 May 2023
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Status
Package | Ubuntu Release | Status |
---|---|---|
python-pip | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Vulnerable
|
|
20.04 LTS focal |
Fixed 20.0.2-5ubuntu1.9
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Ignored end of ESM support, was needs-triage | |
requests | 24.10 oracular |
Fixed 2.28.1+dfsg-1ubuntu2
|
24.04 LTS noble |
Fixed 2.28.1+dfsg-1ubuntu2
|
|
22.04 LTS jammy |
Fixed 2.25.1+dfsg-2ubuntu0.1
|
|
20.04 LTS focal |
Fixed 2.22.0-2ubuntu1.1
|
|
18.04 LTS bionic |
Fixed 2.18.4-2ubuntu0.1+esm1
|
|
16.04 LTS xenial |
Fixed 2.9.1-3ubuntu0.1+esm1
|
|
14.04 LTS trusty | Ignored end of ESM support, was needs-triage |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 · Medium |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6155-1
- Requests vulnerability
- 12 June 2023
- USN-6155-2
- Requests vulnerability
- 15 June 2023