CVE-2023-45803
Information Disclosure vulnerability in urllib3

What is CVE-2023-45803 About?

This vulnerability in urllib3 involves a failure to remove the HTTP request body during a 303 'See Other' redirect, potentially leading to unintended information disclosure. If sensitive information is in the request body and the origin service is compromised to redirect to a malicious peer, this data could be exposed. Due to strict conditions (compromised service) and specific data requirements (sensitive data in request body), the exploitability is low.

Affected Software

Technical Details

The vulnerability in urllib3 concerns its handling of HTTP 303 'See Other' redirects. According to HTTP RFCs, a 303 redirect after a request with a body (e.g., POST) should result in the subsequent GET request (to the new location) having its body removed. urllib3, prior to versions 1.26.18 and 2.0.7, failed to remove this request body. If a user sends sensitive information in a POST request body and the legitimate origin server is compromised to issue a 303 redirect to an attacker-controlled endpoint (or the redirected service itself is compromised), the sensitive data from the original request body will be inadvertently sent to the malicious endpoint in the automatically followed GET request.

What is the Impact of CVE-2023-45803?

Successful exploitation may allow attackers to obtain sensitive information from HTTP request bodies if the origin service is compromised and issues a 303 redirect to a malicious destination.

What is the Exploitability of CVE-2023-45803?

Exploitation of this vulnerability is highly specific and has low complexity, but requires very particular conditions, making the overall exploitation likelihood low. There are no authentication or privilege requirements on the part of the attacker to trigger this, beyond intercepting or controlling network traffic or a compromised origin server. The attack is remote, as it involves HTTP requests and redirects over the network. Two critical conditions must be met: the user must be submitting sensitive information in the HTTP request body, AND the origin service must either be compromised to redirect via a 303 to a malicious peer, or the redirected-to service must be compromised. Without a compromised trusted service acting as an intermediary, this vulnerability is not exploitable. The risk is elevated only in scenarios where there's a high likelihood of partner service compromise or MITM attacks on HTTPS are feasible (though HTTPS would mitigate direct interception).

What are the Known Public Exploits?

What are the Available Fixes for CVE-2023-45803?

Available Upgrade Options

• urllib3
  • <4e98d57809dacab1cbe625fddeec1a290c478ea9 → Upgrade to 4e98d57809dacab1cbe625fddeec1a290c478ea9
• urllib3
  • <1.26.18 → Upgrade to 1.26.18
• urllib3
  • >2.0.0, <2.0.7 → Upgrade to 2.0.7

Additional Resources

• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
• https://github.com/urllib3/urllib3
• https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5
• https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
• https://osv.dev/vulnerability/PYSEC-2023-212
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/
• https://www.rfc-editor.org/rfc/rfc9110.html#name-get
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX
• https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4

What are Similar Vulnerabilities to CVE-2023-45803?

Similar Vulnerabilities: CVE-2018-1000130 , CVE-2018-1000131 , CVE-2020-15095 , CVE-2021-33519 , CVE-2021-37220