Wind River Support Network

Meet the Support Network

Home CVE Database CVE-2024-37891

CVE-2024-37891

Description

urllib3 is a user-friendly HTTP client library for Python. When using urllib3\'s proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3\'s proxy support, it\'s possible to accidentally configure the `Proxy-Authorization` header even though it won\'t have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn\'t treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn\'t strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3\'s proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren\'t using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3\'s built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3\'s `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.

Priority: --
CVSS v3: 4.4
Component: python-urllib3
Publish Date: Jun 17, 2024
Related ID: --
CVSS v2: MEDIUM
Modified Date: Jun 17, 2024

Find out more about CVE-2024-37891 from the MITRE-CVE dictionary and NIST NVD


Products Affected

Login may be required to access defects or downloads.

Product Name Status Defect Fixed Downloads
Linux
Wind River Linux LTS 17 Requires LTSS -- -- --
Wind River Linux 8 Requires LTSS -- -- --
Wind River Linux 9 Requires LTSS -- -- --
Wind River Linux 7 Not Vulnerable -- -- --
Wind River Linux LTS 21 Fixed LIN1021-9805
10.21.20.24 --
Wind River Linux LTS 22 Investigating -- -- --
Wind River Linux LTS 18 Requires LTSS -- -- --
Wind River Linux LTS 19 Requires LTSS -- -- --
Wind River Linux CD release N/A -- -- --
Wind River Linux 6 Not Vulnerable -- -- --
Wind River Linux LTS 23 Investigating -- -- --
Wind River Linux LTS 24 Fixed LIN1024-2094
10.24.33.5 --
VxWorks
VxWorks 7 Not Vulnerable -- -- --
VxWorks 6.9 Not Vulnerable -- -- --
Helix Virtualization Platform Cert Edition
Helix Virtualization Platform Cert Edition Not Vulnerable -- -- --
eLxr
eLxr 12 Vulnerable -- -- --
Wind River Studio Cloud Platform

Related Products

Product Name Status Defect Fixed Downloads

Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online