{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43804", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-22T14:51:42.340Z", "datePublished": "2023-10-04T16:01:50.447Z", "dateUpdated": "2024-08-19T07:48:07.200Z"}, "containers": {"cna": {"title": "`Cookie` HTTP header isn't stripped on cross-origin redirects", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"name": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb", "tags": ["x_refsource_MISC"], "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"}, {"name": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d", "tags": ["x_refsource_MISC"], "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"}], "affected": [{"vendor": "urllib3", "product": "urllib3", "versions": [{"version": ">= 2.0.0, < 2.0.6", "status": "affected"}, {"version": "< 1.26.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-04T16:01:50.447Z"}, "descriptions": [{"lang": "en", "value": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5."}], "source": {"advisory": "GHSA-v845-jxx5-vc9f", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:07.200Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"name": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"}, {"name": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "97C54576-30ED-41C6-817B-E40030A06A69", "versionEndExcluding": "1.26.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "matchCriteriaId": "59C45894-31CB-46E5-B085-986EC7223245", "versionEndExcluding": "2.0.6", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5."}, {"lang": "es", "value": "urllib3 es una librer\u00eda cliente HTTP f\u00e1cil de usar para Python. urllib3 no trata el encabezado HTTP \"Cookie\" de manera especial ni proporciona ayuda para administrar las cookies a trav\u00e9s de HTTP, eso es responsabilidad del usuario. Sin embargo, es posible que un usuario especifique un encabezado \"Cookie\" y, sin saberlo, filtre informaci\u00f3n a trav\u00e9s de redireccionamientos HTTP a un origen diferente si ese usuario no deshabilita los redireccionamientos expl\u00edcitamente. Este problema se solucion\u00f3 en urllib3 versi\u00f3n 1.26.17 o 2.0.5."}], "id": "CVE-2023-43804", "lastModified": "2024-02-01T00:55:23.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-04T17:15:10.163", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6158", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-urllib3-0:1.26.18-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0733", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.1-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2023:6158", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-urllib3-0:1.26.18-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0733", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.1-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2024:0133", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "fence-agents-0:4.2.1-121.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:2985", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8100020240214182535.7044f6c1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2985", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8100020240214182535.7044f6c1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2986", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.11-urllib3-0:1.26.12-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2987", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python27:2.7-8100020240208011952.5f0f67de", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:0116", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-urllib3-0:1.24.2-5.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2023:6812", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "fence-agents-0:4.2.1-30.el8_1.10", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:7435", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "fence-agents-0:4.2.1-41.el8_2.12", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7435", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "fence-agents-0:4.2.1-41.el8_2.12", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7435", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "fence-agents-0:4.2.1-41.el8_2.12", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7523", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "fence-agents-0:4.2.1-65.el8_4.13", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:7523", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "fence-agents-0:4.2.1-65.el8_4.13", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:7523", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "fence-agents-0:4.2.1-65.el8_4.13", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:7407", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "fence-agents-0:4.2.1-89.el8_6.10", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:0300", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "python-urllib3-0:1.24.2-5.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-18T00:00:00Z"}, {"advisory": "RHSA-2023:7528", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "fence-agents-0:4.2.1-112.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2024:0588", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "python-urllib3-0:1.24.2-5.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2023:7753", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "fence-agents-0:4.10.0-55.el9_3.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:2159", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.11-urllib3-0:1.26.12-2.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:0464", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python-urllib3-0:1.26.5-3.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2023:7385", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "fence-agents-0:4.10.0-20.el9_0.10", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2023:7378", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "fence-agents-0:4.10.0-43.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2023-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:0187", "cpe": "cpe:/a:redhat:openstack:17.1::el8", "package": "python-urllib3-0:1.25.10-5.el8ost", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 8", "release_date": "2024-01-16T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "createrepo_c", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "foreman", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "foreman-installer", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "pulpcore-selinux", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-django-import-export", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-gitpython", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-pulpcore", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-pulp-rpm", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-urllib3", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actioncable", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actionmailbox", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actionmailer", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actionpack", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actiontext", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-actionview", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-activejob", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-activemodel", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-activerecord", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-activestorage", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-activesupport", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-foreman_leapp", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-foreman_remote_execution", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-katello", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-rails", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-railties", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-smart_proxy_remote_execution_ssh", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "satellite", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7851", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "satellite-convert2rhel-toolkit", "product_name": "Red Hat Satellite 6", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/cephcsi-rhel9:v4.15.0-37", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-core-rhel9:v4.15.0-68", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/mcg-rhel9-operator:v4.15.0-39", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-console-rhel9:v4.15.0-58", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-client-rhel9-operator:v4.15.0-13", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-metrics-exporter-rhel9:v4.15.0-81", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/ocs-rhel9-operator:v4.15.0-79", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-cli-rhel9:v4.15.0-22", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-console-rhel9:v4.15.0-57", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-cosi-sidecar-rhel9:v4.15.0-6", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-rhel9-operator:v4.15.0-15", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-csi-addons-sidecar-rhel9:v4.15.0-15", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-console-rhel9:v4.15.0-54", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-multicluster-rhel9-operator:v4.15.0-10", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-must-gather-rhel9:v4.15.0-26", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odf-rhel9-operator:v4.15.0-19", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-cluster-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-hub-operator-bundle:v4.15.0-158", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/odr-rhel9-operator:v4.15.0-21", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/rook-ceph-rhel9-operator:v4.15.0-103", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}], "bugzilla": {"description": "python-urllib3: Cookie request header isn't stripped during cross-origin redirects", "id": "2242493", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242493"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.", "A flaw was found in urllib3, a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, which is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-43804", "package_state": [{"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification-baremetal-container", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-s3transfer", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-urllib3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "resource-agents", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/python-podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/python2-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "inkscape:flatpak/python2-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11-pip", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Affected", "package_name": "python-urllib3", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/baremetal-hardware-event-proxy-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/cnf-tests-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ztp-site-generate-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-api-server-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-artifact-manager-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-cache-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-persistenceagent-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-scheduledworkflow-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-ml-pipelines-viewercontroller-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Out of support scope", "package_name": "python-botocore", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-urllib3", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python38-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python38-python-urllib3", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "graphite-web", "product_name": "Red Hat Storage 3"}], "public_date": "2023-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-43804\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-43804"], "threat_severity": "Moderate", "upstream_fix": "urllib3 2.0.6, urllib3 1.26.17"}