[Snyk:Medium] requests Information Exposure (due by 07/23/2023) #5459

cnlucas · 2023-05-24T14:17:30Z

Introduced through
requests@2.25.1, prance@0.22.11.4.0 and others
Fixed in
requests@2.31.0

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › requests@2.25.1
Fix: Upgrade requests to version 2.31.0

Introduced through: project@0.0.0 › prance@0.22.11.4.0 › requests@2.25.1
Fix: Pin requests to version 2.31.0
Introduced through: project@0.0.0 › requests-aws4auth@1.0 › requests@2.25.1
Fix: Pin requests to version 2.31.0

…and 1 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS 6.1](https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Information Exposure by leaking Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. This is a result of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected.

NOTE: This behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. https://username:password@proxy:8080), and only when redirecting to HTTPS:

HTTP → HTTPS: leak

HTTPS → HTTP: no leak

HTTPS → HTTPS: leak

HTTP → HTTP: no leak

For HTTP connections sent through the proxy, the proxy will identify the header in the request and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.

Completion criteria

(What does the end state look like - as long as this task(s) is done, this work is complete)

This vulnerability is remediated or ignored (because we have confirmed it doesn't affect us)

The text was updated successfully, but these errors were encountered:

cnlucas added Security: moderate Remediate within 60 days Security: general General security concern or issue labels May 24, 2023

cnlucas mentioned this issue May 24, 2023

Check logs 21.5 Week 2 #5439

Closed

3 tasks

tmpayton mentioned this issue May 31, 2023

Check logs 21.6 Week 1 #5460

Closed

2 tasks

tmpayton mentioned this issue Jun 7, 2023

Check logs 21.6 Week 2 #5461

Closed

3 tasks

hcaofec mentioned this issue Jun 14, 2023

Check Logs Innovation Week 1 #5467

Closed

2 tasks

fec-jli mentioned this issue Jun 21, 2023

Check Logs Innovation Week 2 #5468

Closed

2 tasks

hcaofec mentioned this issue Jun 28, 2023

Check Logs Innovation Week 3 #5469

Closed

3 tasks

pkfec mentioned this issue Jul 6, 2023

Check Logs 22.1 Week 1 #5483

Closed

2 tasks

cnlucas added this to the Sprint 22.1 milestone Jul 6, 2023

cnlucas self-assigned this Jul 6, 2023

cnlucas mentioned this issue Jul 6, 2023

5459-update requests #5488

Merged

pkfec mentioned this issue Jul 12, 2023

Check logs 22.1 Week 2 #5484

Closed

3 tasks

fec-jli closed this as completed in #5488 Jul 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk:Medium] requests Information Exposure (due by 07/23/2023) #5459

[Snyk:Medium] requests Information Exposure (due by 07/23/2023) #5459

cnlucas commented May 24, 2023

[Snyk:Medium] requests Information Exposure (due by 07/23/2023) #5459

[Snyk:Medium] requests Information Exposure (due by 07/23/2023) #5459

Comments

cnlucas commented May 24, 2023

Completion criteria