CVE-2023-45803

一、漏洞信息
漏洞编号：CVE-2023-45803
漏洞归属组件：python-pip
漏洞归属的版本：20.2.2,20.3.3,21.3.1,22.3.1,23.1.2
CVSS V3.0分值：
BaseScore：4.2 Medium
Vector：CVSS：3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
漏洞简述：
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn t remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren t putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn t exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren t expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
漏洞公开时间：2023-10-18 04:15:10
漏洞创建时间：2024-04-03 02:04:44
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2023-45803

更多参考(点击展开)

参考来源	参考链接	来源链接
security-advisories.github.com	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
security-advisories.github.com	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
security-advisories.github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/
security-advisories.github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/
security-advisories.github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
security-advisories.github.com	https://www.rfc-editor.org/rfc/rfc9110.html#name-get
suse_bugzilla	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4	https://bugzilla.suse.com/show_bug.cgi?id=1216377
redhat_bugzilla	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://www.rfc-editor.org/rfc/rfc9110.html#name-get	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2023:7851	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:0116	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:0300	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:0464	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:0588	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:1155	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2132	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2952	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2968	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2988	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2734	https://bugzilla.redhat.com/show_bug.cgi?id=2246840
debian		https://security-tracker.debian.org/tracker/CVE-2023-45803
anolis		https://anas.openanolis.cn/cves/detail/CVE-2023-45803
cve_search		https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
cve_search		https://www.rfc-editor.org/rfc/rfc9110.html#name-get
cve_search		https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/
github_advisory	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4	https://github.com/advisories/GHSA-g4mx-q9vg-27p4
github_advisory	https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36	https://github.com/advisories/GHSA-g4mx-q9vg-27p4
github_advisory	https://github.com/urllib3/urllib3/releases/tag/1.26.18	https://github.com/advisories/GHSA-g4mx-q9vg-27p4
github_advisory	https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3	https://github.com/advisories/GHSA-g4mx-q9vg-27p4
github_advisory	https://github.com/urllib3/urllib3/releases/tag/2.0.7	https://github.com/advisories/GHSA-g4mx-q9vg-27p4
python-urllib3		https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4	https://osv.dev/vulnerability/CVE-2023-45803
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/	https://osv.dev/vulnerability/CVE-2023-45803
osv	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9	https://osv.dev/vulnerability/CVE-2023-45803
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/	https://osv.dev/vulnerability/CVE-2023-45803
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/	https://osv.dev/vulnerability/CVE-2023-45803
osv	https://www.rfc-editor.org/rfc/rfc9110.html#name-get	https://osv.dev/vulnerability/CVE-2023-45803
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2023-45803	https://explore.alas.aws.amazon.com/CVE-2023-45803.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803	https://explore.alas.aws.amazon.com/CVE-2023-45803.html
snyk	https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3	https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459
snyk	https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36	https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459
snyk	https://github.com/urllib3/urllib3/releases/tag/1.26.18	https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459
snyk	https://github.com/urllib3/urllib3/releases/tag/2.0.7	https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459
osv	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3/releases/tag/1.26.18' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
osv	https://github.com/urllib3/urllib3/releases/tag/2.0.7' target='_blank' rel='noopener noreferrer	https://osv.dev/vulnerability/GHSA-g4mx-q9vg-27p4
security-advisories.github.com	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
security-advisories.github.com	https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
security-advisories.github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
security-advisories.github.com	https://www.rfc-editor.org/rfc/rfc9110.html#name-get

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
		https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9		security-advisories.github.com
		https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9		redhat_bugzilla
		https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36		github_advisory
		https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3		github_advisory
		https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9		osv
		https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3		snyk
		https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36		snyk
		https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9		nvd
		https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4		nvd
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/		nvd
		https://www.rfc-editor.org/rfc/rfc9110.html#name-get		nvd
		https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3' target='_blank' rel='noopener noreferrer		osv
		https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36' target='_blank' rel='noopener noreferrer		osv

二、漏洞分析结构反馈
影响性分析说明：
使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏
openEuler评分：
4.2
Vector：CVSS：3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.master(23.3.1):受影响
2.openEuler-20.03-LTS-SP4(20.2.2):受影响
3.openEuler-22.03-LTS-SP1(21.3.1):受影响
4.openEuler-22.03-LTS-SP3(21.3.1):受影响
5.openEuler-22.03-LTS-SP4(21.3.1):受影响
6.openEuler-24.03-LTS(23.3.1):受影响
7.openEuler-24.03-LTS-Next(23.3.1):受影响

修复是否涉及abi变化(是/否)：
1.master(23.3.1):否
2.openEuler-20.03-LTS-SP4(20.2.2):否
3.openEuler-22.03-LTS-SP1(21.3.1):否
4.openEuler-22.03-LTS-SP3(21.3.1):否
5.openEuler-22.03-LTS-SP4(21.3.1):否
6.openEuler-24.03-LTS(23.3.1):否
7.openEuler-24.03-LTS-Next(23.3.1):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1869

@zhujianwei001 ,@xiezhipeng1 ,@licihua ,@overweight ,@gaoruoshu ,@dillon_chen ,@zhuchunyi 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(23.1.2):
2.openEuler-20.03-LTS-SP1(20.2.2):
3.openEuler-20.03-LTS-SP4(20.2.2):
4.openEuler-22.03-LTS(21.3.1):
5.openEuler-22.03-LTS-Next(21.3.1):
6.openEuler-22.03-LTS-SP1(21.3.1):
7.openEuler-22.03-LTS-SP2(21.3.1):
8.openEuler-22.03-LTS-SP3(21.3.1):
9.openEuler-24.03-LTS:

修复是否涉及abi变化(是/否)：
1.master(23.1.2):
2.openEuler-20.03-LTS-SP1(20.2.2):
3.openEuler-20.03-LTS-SP4(20.2.2):
4.openEuler-22.03-LTS(21.3.1):
5.openEuler-22.03-LTS-Next(21.3.1):
6.openEuler-22.03-LTS-SP1(21.3.1):
7.openEuler-22.03-LTS-SP2(21.3.1):
8.openEuler-22.03-LTS-SP3(21.3.1):
9.openEuler-24.03-LTS:

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2023-45803	None	None	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
https://ubuntu.com/security/CVE-2023-45803	None	None	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2023-45803	None	None	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-45803	None	None	https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
https://security-tracker.debian.org/tracker/CVE-2023-45803	None	None	https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

影响性分析说明：使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏；该漏洞来自于python-urllib3包，已有issue跟踪（（修复链接）），且各个分支对应的1.25.9、1.26.7、1.26.12、1.26.18各个版本都已修复，python-pip无影响。

openEuler评分：
4.2
Vector：CVSS：3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS(20.2.2):不受影响
2.openEuler-20.09(20.2.2):不受影响
3.master(23.1.2):不受影响
4.openEuler-20.03-LTS-SP1(20.2.2):不受影响
5.openEuler-20.03-LTS-SP4(20.2.2):不受影响
6.openEuler-22.03-LTS(21.3.1):不受影响
7.openEuler-22.03-LTS-Next(21.3.1):不受影响
8.openEuler-22.03-LTS-SP1(21.3.1):不受影响
9.openEuler-22.03-LTS-SP2(21.3.1):不受影响
10.openEuler-22.03-LTS-SP3(21.3.1):不受影响
11.openEuler-24.03-LTS:不受影响

修复是否涉及abi变化(是/否)：
1.master(23.1.2):否
2.openEuler-20.03-LTS-SP1(20.2.2):否
3.openEuler-20.03-LTS-SP4(20.2.2):否
4.openEuler-22.03-LTS(21.3.1):否
5.openEuler-22.03-LTS-Next(21.3.1):否
6.openEuler-22.03-LTS-SP1(21.3.1):否
7.openEuler-22.03-LTS-SP2(21.3.1):否
8.openEuler-22.03-LTS-SP3(21.3.1):否
9.openEuler-24.03-LTS:否

/reason 使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏；该漏洞来自于python-urllib3包，已有issue跟踪（（修复链接）），且各个分支对应的1.25.9、1.26.7、1.26.12、1.26.18各个版本都已修复，python-pip无影响。

issue状态	操作者	原因
已拒绝	xieminmin	使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏；该漏洞来自于python-urllib3包，已有issue跟踪（（修复链接）），且各个分支对应的1.25.9、1.26.7、1.26.12、1.26.18各个版本都已修复，python-pip无影响。

issue状态	操作者	原因
已拒绝	xieminmin	使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏；该漏洞来自于python-urllib3包，已有issue跟踪（（修复链接）），且各个分支对应的1.25.9、1.26.7、1.26.12、1.26.18各个版本都已修复，python-pip无影响。

影响性分析说明:
使用urllib3并提交HTTP请求体中的敏感信息（如表单数据或JSON), 且源服务被破坏，并开始使用301、302或303重定向到恶意对等体，或者重定向到的服务被破坏时，可能导致用户的敏感数据泄漏
openEuler评分: (评分和向量)
4.2
Vector：CVSS：3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.master(23.3.1):受影响
2.openEuler-20.03-LTS-SP4(20.2.2):受影响
3.openEuler-22.03-LTS-SP1(21.3.1):受影响
4.openEuler-22.03-LTS-SP3(21.3.1):受影响
5.openEuler-22.03-LTS-SP4(21.3.1):受影响
6.openEuler-24.03-LTS(23.3.1):受影响
7.openEuler-24.03-LTS-Next(23.3.1):受影响

修复是否涉及abi变化(是/否)：
1.master(23.3.1):否
2.openEuler-20.03-LTS-SP4(20.2.2):否
3.openEuler-22.03-LTS-SP1(21.3.1):否
4.openEuler-22.03-LTS-SP3(21.3.1):否
5.openEuler-22.03-LTS-SP4(21.3.1):否
6.openEuler-24.03-LTS(23.3.1):否
7.openEuler-24.03-LTS-Next(23.3.1):否

src-openEuler/python-pip

内容风险标识

评论 (11)

src-openEuler/python-pip .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2023-45803

评论 (11)

搜索帮助

src-openEuler/python-pip