CVERadar

CVE-2024-37891

Medium Severity

SVRS

30/100

CVSSv3

NA/10

EPSS

0.00033/1

CVE-2024-37891 in urllib3, a Python HTTP client library, involves a potential cross-origin redirect issue when the Proxy-Authorization header is incorrectly configured without using proper proxy support. Urllib3 doesn't strip the header on cross-origin redirects, which could expose authentication material. The SVRS score of 30 indicates a low risk, but it's crucial to understand the nuances. While the CVSS score is 0, SOCRadar's SVRS considers external threat intelligence. The vulnerability requires specific conditions to be exploited, including setting the Proxy-Authorization header without proxy support, not disabling HTTP redirects, and a redirect to a malicious origin. Users are advised to upgrade to urllib3 version 1.26.19 or 2.2.2 to mitigate this issue, but until then they can also use the built-in ProxyManager, disable redirects, or avoid using the Proxy-Authorization header in unintended contexts. Although the risk is low, patching addresses unintentional exposure of authentication data during redirects.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-37891 | urllib3 up to 1.26.18/2.2.1 Header Proxy-Authorization resource transfer

vuldb.com2024-06-17

CVE-2024-37891 | urllib3 up to 1.26.18/2.2.1 Header Proxy-Authorization resource transfer | A vulnerability classified as problematic was found in urllib3 up to 1.26.18/2.2.1. This vulnerability affects unknown code of the component Header Handler. The manipulation of the argument Proxy-Authorization leads to incorrect resource transfer. This vulnerability was named CVE-2024-37891. The attack can

vuldb.com

rss

cve-2024-37891

domains

Social Media

CVE

@CVEnew

2024-06-17

CVE-2024-37891 urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to t… https://t.co/i8TpgwQzv6

Seth Michael Larson

@sethmlarson

2024-06-17

📦 urllib3 v2.2.2 and v1.26.19 are now available, fixing CVE-2024-37891, where the Proxy-Authorization header was not stripped in a specific case. This is a moderate severity (4.4/10) vulnerability that is uncommon in practice. https://t.co/5pGfNZBEX1 https://t.co/T00MyzrXg8

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
[email protected]	https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf

CWE Details

CWE ID	CWE Name	Description
CWE-669	Incorrect Resource Transfer Between Spheres	The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence