Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unintended leak of Proxy-Authorization header in requests
Vulnerability Description
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Requests 信息泄露漏洞
Vulnerability Description
Requests是Python基金会的一个优雅而简单的HTTP库。通过请求,您可以非常轻松地发送HTTP / 1.1请求。无需将查询字符串手动添加到您的URL,也无需对POST数据进行表单编码。 Requests 2.31.0之前版本存在安全漏洞,该漏洞源于代理对隧道请求不可见。 这会导致 Requests 无意中将代理凭据转发到目标服务器,从而允许恶意行为者潜在地泄露敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A