Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] urllib3 (Due 12/4/23) #5946

Closed
Tracked by #137
tmpayton opened this issue Oct 4, 2023 · 0 comments · Fixed by #5984
Closed
Tracked by #137

[Snyk: Med] urllib3 (Due 12/4/23) #5946

tmpayton opened this issue Oct 4, 2023 · 0 comments · Fixed by #5984
Assignees
@cnlucas
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 23.2

Comments

@tmpayton
Copy link
Contributor

tmpayton commented Oct 4, 2023
edited by cnlucas

Introduced through
urllib3@1.26.7, requests@2.31.0 and others
Fixed in
urllib3@1.26.18, @2.0.7

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › urllib3@1.26.7
Fix: Upgrade urllib3 to version 1.26.18 or 2.0.7

Introduced through: project@0.0.0 › requests@2.31.0 › urllib3@1.26.7
Fix: Pin urllib3 to version 1.26.18 or 2.0.7
Introduced through: project@0.0.0 › cachecontrol@0.11.5 › requests@2.31.0 › urllib3@1.26.7
Fix: Pin urllib3 to version 1.26.18 or 2.0.7

…and 4 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS 4.2](https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Information Exposure Through Sent Data when it processes HTTP redirects with a 303 status code, due to not stripping the request body when changing the request method from POST to GET. An attacker can potentially expose sensitive information by compromising the origin service and redirecting requests to a malicious peer.
@tmpayton tmpayton added the Security: moderate Remediate within 60 days label Oct 4, 2023
@tmpayton tmpayton added this to the Sprint 23.3 milestone Oct 4, 2023
@tmpayton tmpayton mentioned this issue Oct 4, 2023
Closed
2 tasks
@tmpayton tmpayton mentioned this issue Oct 11, 2023
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Oct 18, 2023
Closed
2 tasks
This was referenced Oct 25, 2023
Closed
Closed
@cnlucas cnlucas self-assigned this Nov 1, 2023
@cnlucas cnlucas mentioned this issue Nov 1, 2023
Merged
@cnlucas cnlucas modified the milestones: Sprint 23.3, Sprint 23.2 Nov 1, 2023
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: moderate Remediate within 60 days
Projects
Website project
Archived in project
Milestone
Sprint 23.2
Development

Successfully merging a pull request may close this issue.

5946- upgrade urllib3 fecgov/fec-cms
2 participants
@cnlucas @tmpayton