CVE-2023-45803: 
Python vulnerability analysis and mitigation

CVE-2023-45803 affects urllib3, a user-friendly HTTP client library for Python. The vulnerability was discovered and disclosed in October 2023, where urllib3 versions up to 1.26.17 and 2.0.6 failed to remove the HTTP request body when handling HTTP redirect responses with status codes 301, 302, or 303 after changing the request method to GET (GitHub Advisory).

The vulnerability occurs when urllib3 changes the request method to GET after receiving a 303 'See Other' redirect response. According to HTTP RFCs, when the request method changes to GET, the request body should be stripped, but urllib3 was not implementing this behavior correctly. The issue has a CVSS v3.1 base score of 4.2 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to sensitive information disclosure if two conditions are met: 1) The application is using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON), and 2) The origin service becomes compromised and starts redirecting using 301, 302, or 303 to a malicious peer, or the redirected-to service becomes compromised (GitHub Advisory).

The vulnerability has been patched in versions 1.26.18 and 2.0.7. Users are advised to upgrade to these versions. For users unable to update, there are two workarounds: 1) Disable redirects for services that aren't expecting to respond with redirects using redirects=False, or 2) Disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body (GitHub Advisory).