CVE-2023-32681

NameCVE-2023-32681
DescriptionRequests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3456-1
Debian Bugs1036693

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
requests (PTS)bullseye2.25.1+dfsg-2vulnerable
bookworm2.28.1+dfsg-1vulnerable
sid, trixie2.32.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
requestssourcebuster2.21.0-1+deb10u1DLA-3456-1
requestssource(unstable)2.31.0+dfsg-11036693

Notes

[bookworm] - requests <no-dsa> (Minor issue)
[bullseye] - requests <no-dsa> (Minor issue)
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
Fixed by: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 (v2.31.0)

Search for package or bug name: Reporting problems