CVE-2024-37891: Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3

Published Jun 17, 2024
·
Updated

Last updated 31 October 2024

Affected Software

23 affected componentsFixes available
pip/urllib3>=2.0.0<2.2.2
2.2.2
pip/urllib3<1.26.19
1.26.19
debian/python-urllib3<=1.26.5-1~exp1
1.26.5-1~exp1+deb11u11.26.12-1+deb12u12.3.0-1
F5 BIG-IP>=17.1.0<=17.1.1
F5 BIG-IP>=16.1.0<=16.1.5
F5 BIG-IP>=15.1.0<=15.1.10
F5 BIG-IQ Centralized Management>=8.2.0<=8.4.0
F5 F5OS-A=1.7.0, >=1.5.1<=1.5.2
F5 F5OS-C>=1.6.0<=1.6.2
redhat/urllib3<1.26.19
1.26.19
redhat/urllib3<2.2.2
2.2.2
Python urllib3<1.26.19
Python urllib3>=2.0.0<2.2.2
Debian Debian Linux=11.0
NetApp Active Iq Unified Manager Vmware Vsphere
IBM Concert Software<=1.0.0-2.1.0
Microsoft cbl2 python-virtualenv 20.26.6-1
Patch available
Microsoft cbl2 python3 3.9.19-13
Patch available
Microsoft cbl2 python-urllib3 1.26.19-1
Patch available
Microsoft cbl2 python-virtualenv 20.26.6-1
Microsoft azl3 python-pip 24.2-2
Patch available
Microsoft cbl2 python-urllib3 1.26.18-2
Patch available
Microsoft azl3 python-urllib3 2.0.7-1
Patch available

Remediation

Patch Available

https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e

Event History

Jun 17, 2024
CVE Published
via MITRE·07:18 PM
Data Sourced
via MITRE·07:18 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
RemedyAffected Software
Advisory Published
via GitHub·09:37 PM
Data Sourced
via Red Hat·10:33 PM
DescriptionSeverityAffected Software
Jul 10, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
Description
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Aug 14, 2024
Advisory Published
via F5·10:02 PM
Oct 29, 2024
Data Sourced
via Launchpad·05:14 PM
Description
Nov 2, 2024
Data Sourced
via Ubuntu·05:15 PM
RemedyDescriptionSeverityAffected Software
Jan 21, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-37891?

CVE-2024-37891 has been classified as a medium severity vulnerability.

2

How do I fix CVE-2024-37891?

To fix CVE-2024-37891, upgrade urllib3 to version 1.26.19 or 2.2.2.

3

What does CVE-2024-37891 affect?

CVE-2024-37891 affects the urllib3 HTTP client library used in various packages and products.

4

Can CVE-2024-37891 be exploited?

Yes, CVE-2024-37891 can be exploited by attackers to compromise the confidentiality of the proxy authorization headers.

5

Which versions of urllib3 are vulnerable to CVE-2024-37891?

Versions of urllib3 prior to 1.26.19 and 2.2.2 are vulnerable to CVE-2024-37891.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2024-37891 - Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 - SecAlerts