Wiz
Vulnerability DatabaseCVE-2023-43804

CVE-2023-43804
Python vulnerability analysis and mitigation

Overview

CVE-2023-43804 affects urllib3, a user-friendly HTTP client library for Python. The vulnerability was discovered and disclosed in October 2023, affecting versions prior to 1.26.17 and 2.0.6. The issue exists because urllib3 doesn't treat the Cookie HTTP header specially or provide any helpers for managing cookies over HTTP, potentially leading to information leakage during cross-origin redirects (GitHub Advisory).

Technical details

The vulnerability occurs when a user specifies a Cookie header and the request is redirected to a different origin without explicitly disabled redirects. urllib3 fails to strip the Cookie header during these cross-origin redirects, which can result in sensitive information being leaked. The vulnerability has been assigned a CVSS base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low attack complexity, and high impact on confidentiality and integrity (NVD).

Impact

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information via HTTP redirects to a different origin. The impact is particularly significant when the Cookie header contains sensitive authentication or session information that could be exposed to unauthorized parties (Debian Advisory).

Mitigation and workarounds

The vulnerability has been patched in urllib3 versions 1.26.17 and 2.0.6. Users are advised to upgrade to these or later versions. Alternative mitigations include disabling HTTP redirects using redirects=False when sending requests or avoiding the use of the Cookie header. The fix involves adding the Cookie header to the list of headers that are stripped from requests when redirecting to a different host (GitHub Commit).

Community reactions

Multiple Linux distributions and software vendors have responded to this vulnerability by releasing security updates. Fedora, Debian, and Ubuntu have issued security advisories and provided updated packages to their users. NetApp has also acknowledged the vulnerability and is investigating its impact on their products (Fedora Update, NetApp Advisory).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo