Sign in
Sign up
Explore
Enterprise
Education
Search
Help
Terms of use
About Us
Explore
Enterprise
Education
Gitee Premium
Gitee AI
AI teammates
Sign in
Sign up
Fetch the repository succeeded.
Donate
Please sign in before you donate.
Cancel
Sign in
Scan WeChat QR to Pay
Cancel
Complete
Prompt
Switch to Alipay.
OK
Cancel
Watch
Unwatch
Watching
Releases Only
Ignoring
8
Star
1
Fork
41
src-openEuler
/
python-pip
Code
Issues
3
Pull Requests
0
Wiki
Insights
Pipelines
Service
JavaDoc
PHPDoc
Quality Analysis
Jenkins for Gitee
Tencent CloudBase
Tencent Cloud Serverless
悬镜安全
Aliyun SAE
Codeblitz
SBOM
Don’t show this again
Update failed. Please try again later!
Remove this flag
Content Risk Flag
This task is identified by
as the content contains sensitive information such as code security bugs, privacy leaks, etc., so it is only accessible to contributors of this repository.
CVE-2023-45803
Done
#I9C54U
CVE和安全问题
openeuler-ci-bot
owner
Opened this issue
2024-03-27 18:36
一、漏洞信息 漏洞编号:[CVE-2023-45803](https://nvd.nist.gov/vuln/detail/CVE-2023-45803) 漏洞归属组件:[python-pip](https://gitee.com/src-openeuler/python-pip) 漏洞归属的版本:20.2.2,20.3.3,21.3.1,22.3.1,23.1.2 CVSS V3.0分值: BaseScore:4.2 Medium Vector:CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 漏洞简述: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn t remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren t putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn t exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren t expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. 漏洞公开时间:2023-10-18 04:15:10 漏洞创建时间:2024-04-03 02:04:44 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2023-45803 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | security-advisories.github.com | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | | security-advisories.github.com | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/ | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | | security-advisories.github.com | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | | suse_bugzilla | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://bugzilla.suse.com/show_bug.cgi?id=1216377 | | redhat_bugzilla | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:7851 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0116 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0300 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0464 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0588 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:1155 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2132 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2952 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2968 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2988 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2734 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | debian | | https://security-tracker.debian.org/tracker/CVE-2023-45803 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2023-45803 | | cve_search | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | cve_search | | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | cve_search | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | cve_search | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | cve_search | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | | github_advisory | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/releases/tag/1.26.18 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/releases/tag/2.0.7 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | python-urllib3 | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | https://osv.dev/vulnerability/CVE-2023-45803 | | amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-45803 | https://explore.alas.aws.amazon.com/CVE-2023-45803.html | | amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803 | https://explore.alas.aws.amazon.com/CVE-2023-45803.html | | snyk | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/releases/tag/1.26.18 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/releases/tag/2.0.7 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | osv | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/releases/tag/1.26.18' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/releases/tag/2.0.7' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | security-advisories.github.com | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | | security-advisories.github.com | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | | security-advisories.github.com | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | security-advisories.github.com | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | redhat_bugzilla | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | | github_advisory | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | | github_advisory | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | osv | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | | snyk | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | | snyk | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | nvd | | | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | nvd | | | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | nvd | | | | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | nvd | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer | | osv | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer | | osv | </details> 二、漏洞分析结构反馈 影响性分析说明: 使用urllib3并提交HTTP请求体中的敏感信息(如表单数据或JSON), 且源服务被破坏,并开始使用301、302或303重定向到恶意对等体,或者重定向到的服务被破坏时,可能导致用户的敏感数据泄漏 openEuler评分: 4.2 Vector:CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 受影响版本排查(受影响/不受影响): 1.master(23.3.1):受影响 2.openEuler-20.03-LTS-SP4(20.2.2):受影响 3.openEuler-22.03-LTS-SP1(21.3.1):受影响 4.openEuler-22.03-LTS-SP3(21.3.1):受影响 5.openEuler-22.03-LTS-SP4(21.3.1):受影响 6.openEuler-24.03-LTS(23.3.1):受影响 7.openEuler-24.03-LTS-Next(23.3.1):受影响 修复是否涉及abi变化(是/否): 1.master(23.3.1):否 2.openEuler-20.03-LTS-SP4(20.2.2):否 3.openEuler-22.03-LTS-SP1(21.3.1):否 4.openEuler-22.03-LTS-SP3(21.3.1):否 5.openEuler-22.03-LTS-SP4(21.3.1):否 6.openEuler-24.03-LTS(23.3.1):否 7.openEuler-24.03-LTS-Next(23.3.1):否 三、漏洞修复 安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1869
一、漏洞信息 漏洞编号:[CVE-2023-45803](https://nvd.nist.gov/vuln/detail/CVE-2023-45803) 漏洞归属组件:[python-pip](https://gitee.com/src-openeuler/python-pip) 漏洞归属的版本:20.2.2,20.3.3,21.3.1,22.3.1,23.1.2 CVSS V3.0分值: BaseScore:4.2 Medium Vector:CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 漏洞简述: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn t remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren t putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn t exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren t expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. 漏洞公开时间:2023-10-18 04:15:10 漏洞创建时间:2024-04-03 02:04:44 漏洞详情参考链接: https://nvd.nist.gov/vuln/detail/CVE-2023-45803 <details> <summary>更多参考(点击展开)</summary> | 参考来源 | 参考链接 | 来源链接 | | ------- | -------- | -------- | | security-advisories.github.com | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | | security-advisories.github.com | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/ | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | | security-advisories.github.com | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | | suse_bugzilla | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://bugzilla.suse.com/show_bug.cgi?id=1216377 | | redhat_bugzilla | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2023:7851 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0116 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0300 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0464 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0588 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:1155 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2132 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2952 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2968 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2988 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:2734 | https://bugzilla.redhat.com/show_bug.cgi?id=2246840 | | debian | | https://security-tracker.debian.org/tracker/CVE-2023-45803 | | anolis | | https://anas.openanolis.cn/cves/detail/CVE-2023-45803 | | cve_search | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | cve_search | | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | cve_search | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | cve_search | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | cve_search | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | | github_advisory | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/releases/tag/1.26.18 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | github_advisory | https://github.com/urllib3/urllib3/releases/tag/2.0.7 | https://github.com/advisories/GHSA-g4mx-q9vg-27p4 | | python-urllib3 | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/ | https://osv.dev/vulnerability/CVE-2023-45803 | | osv | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | https://osv.dev/vulnerability/CVE-2023-45803 | | amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-45803 | https://explore.alas.aws.amazon.com/CVE-2023-45803.html | | amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803 | https://explore.alas.aws.amazon.com/CVE-2023-45803.html | | snyk | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/releases/tag/1.26.18 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | snyk | https://github.com/urllib3/urllib3/releases/tag/2.0.7 | https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459 | | osv | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/releases/tag/1.26.18' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | osv | https://github.com/urllib3/urllib3/releases/tag/2.0.7' target='_blank' rel='noopener noreferrer | https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4 | | security-advisories.github.com | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | | security-advisories.github.com | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | | security-advisories.github.com | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | | security-advisories.github.com | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | </details> 漏洞分析指导链接: https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md 漏洞数据来源: openBrain开源漏洞感知系统 漏洞补丁信息: <details> <summary>详情(点击展开)</summary> | 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 | | ------- | -------- | ------- | -------- | --------- | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | security-advisories.github.com | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | redhat_bugzilla | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | | github_advisory | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | | github_advisory | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | osv | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3 | | snyk | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | | snyk | | | | https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | | nvd | | | | https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 | | nvd | | | | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/ | | nvd | | | | https://www.rfc-editor.org/rfc/rfc9110.html#name-get | | nvd | | | | https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer | | osv | | | | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer | | osv | </details> 二、漏洞分析结构反馈 影响性分析说明: 使用urllib3并提交HTTP请求体中的敏感信息(如表单数据或JSON), 且源服务被破坏,并开始使用301、302或303重定向到恶意对等体,或者重定向到的服务被破坏时,可能导致用户的敏感数据泄漏 openEuler评分: 4.2 Vector:CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 受影响版本排查(受影响/不受影响): 1.master(23.3.1):受影响 2.openEuler-20.03-LTS-SP4(20.2.2):受影响 3.openEuler-22.03-LTS-SP1(21.3.1):受影响 4.openEuler-22.03-LTS-SP3(21.3.1):受影响 5.openEuler-22.03-LTS-SP4(21.3.1):受影响 6.openEuler-24.03-LTS(23.3.1):受影响 7.openEuler-24.03-LTS-Next(23.3.1):受影响 修复是否涉及abi变化(是/否): 1.master(23.3.1):否 2.openEuler-20.03-LTS-SP4(20.2.2):否 3.openEuler-22.03-LTS-SP1(21.3.1):否 4.openEuler-22.03-LTS-SP3(21.3.1):否 5.openEuler-22.03-LTS-SP4(21.3.1):否 6.openEuler-24.03-LTS(23.3.1):否 7.openEuler-24.03-LTS-Next(23.3.1):否 三、漏洞修复 安全公告链接:https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1869
Comments (
11
)
Sign in
to comment
Status
Done
Backlog
已挂起
Doing
Done
Declined
Assignees
Not set
yangyuan32
yangyuan32
Assignee
Collaborator
+Assign
+Mention
Labels
CVE/FIXED
sig/Base-service
Not set
Projects
Unprojected
Unprojected
Milestones
No related milestones
No related milestones
Pull Requests
None yet
None yet
Successfully merging a pull request will close this issue.
Branches
No related branch
Branches (124)
Tags (40)
master
openEuler-24.03-LTS-Next
openEuler-24.03-LTS
openEuler-22.03-LTS-SP3
openEuler-24.03-LTS-SP1
openEuler-24.03-LTS-SP2
openEuler-22.03-LTS-SP4
openEuler-24.03-LTS-SP3
openEuler-20.03-LTS-SP4
openEuler-25.09
openEuler-25.03
openEuler-24.09
openEuler-22.03-LTS-SP1
openEuler-22.03-LTS-SP2
openEuler-20.03-LTS-SP3
openEuler-20.03-LTS-SP1
openEuler-22.03-LTS-Next
openEuler-22.03-LTS
openEuler-23.09
openEuler-23.03
openEuler-22.09
openEuler-20.03-LTS-Next
openEuler-20.03-LTS-SP2
Multi-Version_OpenStack-Wallaby_openEuler-22.03-LTS-Next
openEuler-21.09
openEuler-20.03-LTS
openEuler-21.03
patch-tracking/20210103065849753943
patch-tracking/20210102215849754068
patch-tracking/20210102185849754628
patch-tracking/20210102025849754649
patch-tracking/20201230035849754080
patch-tracking/20201229175849755199
patch-tracking/20201229165849754542
patch-tracking/20201229065849754762
patch-tracking/20201228155849754502
patch-tracking/20201228025849754267
patch-tracking/20201228015849753395
patch-tracking/20201227235849754564
patch-tracking/20201227205849754513
patch-tracking/20201227195849753685
patch-tracking/20201227005849754791
patch-tracking/20201226185849754648
patch-tracking/20201226175849753759
patch-tracking/20201226035849754498
patch-tracking/20201225185849754344
patch-tracking/20201225025849753874
patch-tracking/20201224165849756204
patch-tracking/20201224015849754669
patch-tracking/20201223195849756468
patch-tracking/20201221025849753945
patch-tracking/20201220105849756063
patch-tracking/20201218235849755633
patch-tracking/20201215235849753546
patch-tracking/20201215225849754007
patch-tracking/20201215185849754891
patch-tracking/20201215095849755409
patch-tracking/20201215045849754838
patch-tracking/20201214225849754386
patch-tracking/20201212205849754254
patch-tracking/20201212055849756634
patch-tracking/20201209205849754911
patch-tracking/20201208205849756098
patch-tracking/20201208145849754962
patch-tracking/20201203215849755722
patch-tracking/20201203175849753936
patch-tracking/20201202085849753896
patch-tracking/20201130205849754646
patch-tracking/20201130055849755450
patch-tracking/20201130035849754506
patch-tracking/20201129045849754147
patch-tracking/20201127173007638817
patch-tracking/20201126183007639649
patch-tracking/20201123193007640242
patch-tracking/20201123063007638028
patch-tracking/20201122003007639392
patch-tracking/20201120213007643685
patch-tracking/20201120203007637843
patch-tracking/20201120023007638765
patch-tracking/20201119183007636686
patch-tracking/20201115033007638628
patch-tracking/20201115023007641064
patch-tracking/20201114203007638671
patch-tracking/20201114073007638399
patch-tracking/20201114053007640007
patch-tracking/20201110213007639671
patch-tracking/20201109063007638942
patch-tracking/20201103193007638690
patch-tracking/20201101033007638063
patch-tracking/20201101023007638760
patch-tracking/20201031183007637838
patch-tracking/20201031173007637825
patch-tracking/20201031033007637601
patch-tracking/20201031023007637049
patch-tracking/20201030183007637746
patch-tracking/20201030083007637392
patch-tracking/20201030023007654763
patch-tracking/20201029073007637383
patch-tracking/20201028213007638385
patch-tracking/20201028163007637678
patch-tracking/20201028023007638464
patch-tracking/20201028013007637914
patch-tracking/20201028003007637706
patch-tracking/20201027223007638441
patch-tracking/20201027073007637630
patch-tracking/20201026213007637562
patch-tracking/20201026123007637457
patch-tracking/20201019223007639380
patch-tracking/20201018063007637934
patch-tracking/20201014092337225111
patch-tracking/20201014082337224858
patch-tracking/20201014072337224082
patch-tracking/20201014062337224912
patch-tracking/20201014052337224554
patch-tracking/20201014042337224652
patch-tracking/20201014032337224412
patch-tracking/20201014022337224354
patch-tracking/20201014012337224479
patch-tracking/20201014002337225130
patch-tracking/20201013232337224234
patch-tracking/20201013222337227482
openEuler-20.09
openEuler1.0
openEuler1.0-base
openEuler-25.09-release
openEuler-20.03-LTS-SP4-update-20250926
openEuler-22.03-LTS-SP3-update-20250926
openEuler-22.03-LTS-SP4-update-20250926
openEuler-20.03-LTS-SP4-update-20250919
openEuler-24.03-LTS-update-20250919
openEuler-22.03-LTS-SP3-update-20250919
openEuler-22.03-LTS-SP4-update-20250919
openEuler-24.03-LTS-SP1-update-20250919
openEuler-24.03-LTS-SP2-update-20250919
openEuler-24.03-LTS-update-20250912
openEuler-22.03-LTS-SP3-update-20250905
openEuler-24.03-LTS-SP1-update-20250905
openEuler-24.03-LTS-SP2-update-20250905
openEuler-20.03-LTS-SP4-update-20250808
openEuler-22.03-LTS-SP4-update-20250808
openEuler-24.03-LTS-SP2-release
openEuler-25.03-release
openEuler-24.03-LTS-SP1-release
openEuler-22.03-LTS-SP4-update-before-20241025
openEuler-22.03-LTS-SP4-release
openEuler-24.09-release
openEuler-24.03-LTS-release
openEuler-22.03-LTS-SP3-release
openEuler-23.09-rc5
openEuler-22.03-LTS-SP1-release
openEuler-22.09-release
openEuler-22.09-rc5
openEuler-22.09-20220829
openEuler-22.03-LTS-20220331
openEuler-22.03-LTS-round5
openEuler-22.03-LTS-round3
openEuler-22.03-LTS-round2
openEuler-22.03-LTS-round1
openEuler-20.03-LTS-SP3-release
openEuler-20.03-LTS-SP2-20210624
openEuler-21.03-20210330
openEuler-20.09-20200928
openEuler-20.03-LTS-20200606
openEuler-20.03-LTS-tag
Planed to start - Planed to end
-
Top level
Not Top
Top Level: High
Top Level: Medium
Top Level: Low
Priority
Not specified
Serious
Main
Secondary
Unimportant
Duration
(hours)
参与者(1)
1
https://gitee.com/src-openeuler/python-pip.git
git@gitee.com:src-openeuler/python-pip.git
src-openeuler
python-pip
python-pip
Going to Help Center
Search
Git 命令在线学习
如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
Repository Report
Back to the top
Login prompt
This operation requires login to the code cloud account. Please log in before operating.
Go to login
No account. Register
