CVE-2023-32681: 
Python vulnerability analysis and mitigation

CVE-2023-32681 affects the Python Requests library, a popular HTTP library for making web requests. The vulnerability was discovered in versions from 2.3.0 to 2.30.0, where Requests was leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. The issue was disclosed and patched in version 2.31.0, released on May 22, 2023 (GitHub Advisory, Release Notes).

The vulnerability stems from how Requests uses the rebuild_proxies function to reattach the Proxy-Authorization header to requests. For HTTP connections through a proxy, the proxy normally identifies and removes this header before forwarding. However, with HTTPS connections, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This implementation flaw results in proxy credentials being unintentionally forwarded to destination servers. The vulnerability has a CVSS v3.1 base score of 6.1 (Moderate) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows malicious actors to potentially exfiltrate sensitive proxy credentials when users define their proxy credentials in the URL (e.g., https://username:password@proxy:8080). This affects scenarios involving redirects, particularly: HTTP → HTTPS (leak), HTTPS → HTTPS (leak), while HTTP → HTTP and HTTPS → HTTP redirects are not affected (GitHub Advisory).

The vulnerability has been patched in Requests version 2.31.0. Users are strongly encouraged to upgrade to this version or later and rotate their proxy credentials after deployment. For those unable to update immediately, a workaround exists by disabling redirects (setting allow_redirects=False) on all Requests API calls. Users who don't use a proxy or don't supply proxy credentials through the URL are not affected by this vulnerability (GitHub Advisory, Release Notes).

The vulnerability has been acknowledged and addressed by major Linux distributions including Red Hat, Debian, and Gentoo, who have released security advisories and patches for their respective packages (Debian Advisory, Gentoo Advisory).