Unintended leak of Proxy-Authorization header in requests
CVE-2023-32681

6.1MEDIUM

Key Information:

Vendor

Psf

Status
Requests
Vendor
CVE Published:
26 May 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-32681?

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use rebuild_proxies to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Affected Version(s)

requests >= 2.3.0, < 2.31.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

POC-CVE-2023-32681
Created by hardikmodha

References

https://github.com/psf/requests/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb...
x_refsource_MISC
https://github.com/psf/requests/releases/tag/v2.31.0
x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.