Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] Improper Handling of Insufficient Permissions or Privileges (Due 09/16/24) #6343

Closed
1 task
pkfec opened this issue Jun 20, 2024 · 0 comments · Fixed by #6426
Closed
1 task

[Snyk: Med] Improper Handling of Insufficient Permissions or Privileges (Due 09/16/24) #6343

pkfec opened this issue Jun 20, 2024 · 0 comments · Fixed by #6426
Assignees
@tmpayton
Labels
Security: moderate Remediate within 60 days
Milestone
25.i

Comments

@pkfec
Copy link
Contributor

pkfec commented Jun 20, 2024

Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the Proxy-Authorization header during cross-origin redirects when ProxyManager is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.

https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250

Workarounds

Using the Proxy-Authorization header with urllib3's ProxyManager.

Disabling HTTP redirects using redirects=False when sending requests.

Not using the Proxy-Authorization header.

Introduced through:

urllib3@1.26.18

Remediation:

upgrade urllib3@1.26.19

Completion criteria:

  • upgrade urllib3@1.26.19 and verify snyk cli no longer flags requests as vulnerable package
@pkfec pkfec added the Security: moderate Remediate within 60 days label Jun 20, 2024
@pkfec pkfec mentioned this issue Jun 20, 2024
Closed
3 tasks
@pkfec pkfec added this to the 25.i milestone Jun 20, 2024
This was referenced Jun 26, 2024
Closed
Closed
@fec-jli fec-jli mentioned this issue Jul 10, 2024
Closed
2 tasks
@fec-jli fec-jli mentioned this issue Jul 17, 2024
Closed
3 tasks
@tmpayton tmpayton mentioned this issue Jul 24, 2024
Closed
2 tasks
@tmpayton tmpayton mentioned this issue Jul 31, 2024
Closed
3 tasks
@fec-jli fec-jli mentioned this issue Aug 7, 2024
Closed
2 tasks
@tmpayton tmpayton self-assigned this Aug 8, 2024
@tmpayton tmpayton mentioned this issue Aug 12, 2024
Merged
@pkfec pkfec mentioned this issue Aug 14, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: moderate Remediate within 60 days
Projects
Website project
Status: ✅ Done
Milestone
25.i
Development

Successfully merging a pull request may close this issue.

Upgrade urllib3v2.2.2 fecgov/fec-cms
2 participants
@pkfec @tmpayton