Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of `Proxy-Authorization` headers to destination servers when following HTTPS redirects. When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a `Proxy-Authorization` header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the `Proxy-Authorization` header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are *strongly* encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
Created mingw-python-requests tracking bugs for this issue: Affects: fedora-all [bug 2209471] Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 2209472] Affects: openstack-rdo [bug 2209473]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4350 https://access.redhat.com/errata/RHSA-2023:4350
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4520 https://access.redhat.com/errata/RHSA-2023:4520
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7034 https://access.redhat.com/errata/RHSA-2023:7034
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7050 https://access.redhat.com/errata/RHSA-2023:7050
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7042 https://access.redhat.com/errata/RHSA-2023:7042
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0299 https://access.redhat.com/errata/RHSA-2024:0299