Bug 2371272 (CVE-2024-47081)

Summary: CVE-2024-47081 requests: Requests vulnerable to .netrc credentials leak via malicious URLs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, adinn, adistefa, adudiak, agarcial, alinfoot, anthomas, aoconnor, aprice, asegurap, bbrownin, bdettelb, bkabrda, caswilli, cdaley, crizzo, dfreiber, dhanak, dnakabaa, doconnor, dranck, drosa, drow, dsimansk, dtrifiro, ehelms, fzakkak, galder.zamarreno, ggainey, haoli, hkataria, jajackso, jburrell, jcammara, jchui, jdobes, jhe, jkoehler, jmitchel, jneedle, jsamir, jtanner, juwatts, jwendell, jwong, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lcouzens, lgamliel, ljawale, lphiri, luizcosta, mabashia, matzew, mbabacek, mhayden, mhulan, mnovotny, mskarbek, nboldt, ngough, nmoumoul, nweather, oezr, olubyans, omaciel, orabin, osousa, pakotvan, pbraun, pcreech, pjindal, psegedy, psrna, rbobbitt, rbryant, rcernich, rchan, rfreiman, sausingh, sbiarozk, sdoran, sfeifer, sgehwolf, shvarugh, simaishi, smallamp, smcdonal, stcannon, sthirugn, teagle, tfister, thavo, tqvarnst, ttakamiy, veshanka, vkrizan, vkumar, weaton, xiaoxwan, yguenane, zdohnal, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Requests HTTP library. This vulnerability allows leakage of .netrc credentials to third parties via maliciously crafted URLs that exploit a URL parsing issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2372471, 2372472, 2372473, 2372474, 2372475, 2372476, 2372477, 2372478, 2372479    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-09 19:01:12 UTC 
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.