漏洞标题
unintended 泄露代理授权头在请求中
漏洞描述信息
请求中意外泄露Proxy-Authorization头
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
漏洞类别
信息暴露
漏洞标题
Unintended leak of Proxy-Authorization header in requests
漏洞描述信息
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
漏洞类别
信息暴露
漏洞标题
Requests 信息泄露漏洞
漏洞描述信息
Requests是Python基金会的一个优雅而简单的HTTP库。通过请求,您可以非常轻松地发送HTTP / 1.1请求。无需将查询字符串手动添加到您的URL,也无需对POST数据进行表单编码。 Requests 2.31.0之前版本存在安全漏洞,该漏洞源于代理对隧道请求不可见。 这会导致 Requests 无意中将代理凭据转发到目标服务器,从而允许恶意行为者潜在地泄露敏感信息。
CVSS信息
N/A
漏洞类别
信息泄露