{"id":"ALPINE-CVE-2023-43804","details":"urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.","modified":"2026-03-09T01:23:33.455036Z","published":"2023-10-04T17:15:10.163Z","upstream":["CVE-2023-43804"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2023-43804"}],"affected":[{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.15","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.16","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.17","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.18","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.19","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.20","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.21","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}},{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.17-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.2-r0","1.26.2-r1","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2023-43804.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}