CVE-2023-32681
Information Disclosure vulnerability in requests (PyPI)
What is CVE-2023-32681 About?
Requests v2.3.0 and later are vulnerable to leaking `Proxy-Authorization` headers, particularly during redirects to HTTPS origins. This can expose proxy credentials to destination servers, posing a significant information disclosure risk. Exploitation occurs under specific redirect scenarios, primarily for requests where credentials are supplied in the URL.
Affected Software
- requests
- <74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
- >2.3.0, <2.31.0
Technical Details
This vulnerability, present since Requests v2.3.0, leads to the unintended leakage of Proxy-Authorization headers. The issue arises from the rebuild_proxies function which recomputes and reattaches the Proxy-Authorization header during redirects. Specifically, when a request with proxy credentials embedded in the URL (e.g., https://username:password@proxy:8080) is redirected to an HTTPS destination (HTTP -> HTTPS or HTTPS -> HTTPS), Requests inappropriately includes the Proxy-Authorization header in the subsequent request to the final destination server. Normally, for HTTPS tunneled connections, the Proxy-Authorization header should only be in the initial CONNECT request to the proxy. The Proxy-Authorization header should be handled exclusively by urllib3's ProxyManager for the CONNECT request, but rebuild_proxies reintroduces it to the subsequent request, exposing it to the destination.
What is the Impact of CVE-2023-32681?
Successful exploitation may allow attackers to disclose sensitive `Proxy-Authorization` headers, potentially revealing credentials that could be used to access or impersonate users on a proxy server.
What is the Exploitability of CVE-2023-32681?
Exploitation of this Information Disclosure vulnerability is tied to specific network configurations and application logic involving the Requests library. It requires the use of a proxy with credentials embedded in the URL, and for the application to initiate a request that undergoes a redirect to an HTTPS destination server. No additional authentication or special privileges are required beyond the initial setup of a proxied HTTP request. This is a remote vulnerability, as the attacker could be the destination server or an eavesdropper if the destination server is compromised. The complexity is moderate, requiring an understanding of HTTP proxy authentication and redirect mechanisms. Risk factors are high for applications that use the Requests library (versions 2.3.0 to 2.30.0) with authenticated proxies and frequently encounter redirects, particularly to external or untrusted HTTPS endpoints.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| hardikmodha | Link | POC for the CVE-2023-32681 |
What are the Available Fixes for CVE-2023-32681?
About the Fix from Resolved Security
Available Upgrade Options
- requests
- >2.3.0, <2.31.0 → Upgrade to 2.31.0
- requests
- <74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 → Upgrade to 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
- https://github.com/psf/requests
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
- https://github.com/psf/requests/releases/tag/v2.31.0
- https://security.gentoo.org/glsa/202309-08
- https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y
- https://osv.dev/vulnerability/PYSEC-2023-74
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/
What are Similar Vulnerabilities to CVE-2023-32681?
Similar Vulnerabilities: CVE-2020-1375 , CVE-2015-2016 , CVE-2021-33433 , CVE-2022-38605 , CVE-2022-35914
