USN-6473-2

Advisory lineage Upstream: 6 Downstream: 0
Published: 15 Nov 2023, 11:27
Last modified:20 May 2026, 16:03

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

15 Nov 2023, 11:27
Published
Vulnerability first disclosed
20 May 2026, 16:03
Last Modified
Vulnerability information updated

Description

python-pip vulnerabilities USN-6473-1 fixed vulnerabilities in urllib3. This update provides the corresponding updates for the urllib3 module bundled into pip. Original advisory details: It was discovered that urllib3 didn't strip HTTP Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091) It was discovered that urllib3 didn't strip HTTP Cookie header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-43804) It was discovered that urllib3 didn't strip HTTP body on status code 303 redirects under certain circumstances. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Affected Systems

  • ubuntupython-pip

    < 8.1.1-2ubuntu0.6+esm6 | < 9.0.1-2.3~ubuntu1.18.04.8+esm2 | < 20.0.2-5ubuntu1.10 | < 22.0.2+dfsg-1ubuntu0.4

References (4)