CVE-2024-37891: 
Python vulnerability analysis and mitigation

CVE-2024-37891 affects urllib3, a user-friendly HTTP client library for Python. The vulnerability was discovered and disclosed on June 17, 2024, impacting versions prior to 1.26.19 and 2.2.2. The issue occurs when sending HTTP requests without using urllib3's proxy support, where the Proxy-Authorization header is not properly handled during cross-origin redirects (GitHub Advisory).

The vulnerability stems from urllib3's handling of the Proxy-Authorization header during cross-origin redirects. When using urllib3 without its built-in proxy support, the library doesn't treat the Proxy-Authorization HTTP header as authentication material, resulting in the header not being stripped during cross-origin redirects. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information. However, the impact is considered low for most users due to the specific conditions required for exploitation (NetApp Advisory).

Users are advised to update to either version 1.26.19 or version 2.2.2 of urllib3. Alternative mitigations include: 1) Using the Proxy-Authorization header with urllib3's ProxyManager, 2) Disabling HTTP redirects using redirects=False when sending requests, or 3) Not using the Proxy-Authorization header (GitHub Advisory).