ALAS2-2023-2111 --- python3-requestsID: oval:org.secpod.oval:def:1701457 | Date: (C)2023-08-08 (M)2024-01-29 |
Class: PATCH | Family: unix |
A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This behavior only affects proxied requests when credentials are supplied in the URL user information component