rpm package
suse/python-urllib3&distro=SUSE Linux Enterprise Workstation Extension 12 SP5
pkg:rpm/suse/python-urllib3&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-37891 | — | < 1.25.10-3.40.1 | 1.25.10-3.40.1 | Jun 17, 2024 | urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it' | ||
| CVE-2023-45803 | — | < 1.25.10-3.37.1 | 1.25.10-3.37.1 | Oct 17, 2023 | urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE | ||
| CVE-2023-43804 | — | < 1.25.10-3.34.1 | 1.25.10-3.34.1 | Oct 4, 2023 | urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unk | ||
| CVE-2021-33503 | — | < 1.25.10-3.29.1 | 1.25.10-3.29.1 | Jun 29, 2021 | An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected t | ||
| CVE-2020-26137 | — | < 1.25.10-3.31.2 | 1.25.10-3.31.2 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-26116 | — | < 1.22-3.23.1 | 1.22-3.23.1 | Sep 27, 2020 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque | ||
| CVE-2018-18074 | — | < 1.22-3.20.1 | 1.22-3.20.1 | Oct 9, 2018 | The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. | ||
| CVE-2015-2296 | — | < 1.22-3.20.1 | 1.22-3.20.1 | Mar 18, 2015 | The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. |
- CVE-2024-37891Jun 17, 2024affected < 1.25.10-3.40.1fixed 1.25.10-3.40.1
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'
- CVE-2023-45803Oct 17, 2023affected < 1.25.10-3.37.1fixed 1.25.10-3.37.1
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE
- CVE-2023-43804Oct 4, 2023affected < 1.25.10-3.34.1fixed 1.25.10-3.34.1
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unk
- CVE-2021-33503Jun 29, 2021affected < 1.25.10-3.29.1fixed 1.25.10-3.29.1
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected t
- CVE-2020-26137Sep 29, 2020affected < 1.25.10-3.31.2fixed 1.25.10-3.31.2
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-26116Sep 27, 2020affected < 1.22-3.23.1fixed 1.22-3.23.1
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.reque
- CVE-2018-18074Oct 9, 2018affected < 1.22-3.20.1fixed 1.22-3.20.1
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
- CVE-2015-2296Mar 18, 2015affected < 1.22-3.20.1fixed 1.22-3.20.1
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.