CVE-2023-43804

Disclosure Date: October 04, 2023 •

CVE-2023-43804 CVSS v3 Base Score: 8.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn’t treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn’t disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.1 High

Impact Score:

5.2

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

None

Vendors

debian,
fedoraproject,
python

Products

debian linux 10.0,
fedora 37,
fedora 38,
fedora 39,
urllib3

References

Canonical

CVE-2023-43804 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43804)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2023-43804 (https://github.com/JawadPy/CVE-2023-43804) (Added by AKB Worker)