QwikSec

Security Database

CVE

CWE

Training

CVE-2023-43804

Published: Oct 4, 2023

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Vendor	Product	Versions
urllib3	urllib3	affected `>= 2.0.0, < 2.0.6` affected `< 1.26.17`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f

x_refsource_CONFIRM

https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb

x_refsource_MISC

https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.