usn-7762-1
Vulnerability from osv_ubuntu
Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information. This update addresses the issue in the Requests module bundled into pip in Ubuntu 22.04 LTS. (CVE-2023-32681)
It was discovered that urllib3 didn't strip HTTP body on status code 303 redirects under certain circumstances. A remote attacker could possibly use this issue to obtain sensitive information. This update addresses the issue in the urllib3 module bundled into pip in Ubuntu 24.04 LTS. (CVE-2023-45803)
Guido Vranken discovered that idna did not properly manage certain inputs, which could lead to significant resource consumption. An attacker could possibly use this issue to cause a denial of service. This update addresses the issue in the idna module bundled into pip in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-3651)
Juho Forsén discovered that Requests did not correctly parse URLs. A remote attacker could possibly use this issue to leak sensitive information. This update addresses the issue in the Requests module bundled into pip in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04. (CVE-2024-47081)
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-32681",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-3651",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-47081",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-pip",
"binary_version": "22.0.2+dfsg-1ubuntu0.7"
},
{
"binary_name": "python3-pip-whl",
"binary_version": "22.0.2+dfsg-1ubuntu0.7"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "python-pip",
"purl": "pkg:deb/ubuntu/python-pip@22.0.2+dfsg-1ubuntu0.7?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.0.2+dfsg-1ubuntu0.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"20.3.4-4",
"21.3.1+dfsg-3",
"22.0.2+dfsg-1",
"22.0.2+dfsg-1ubuntu0.1",
"22.0.2+dfsg-1ubuntu0.2",
"22.0.2+dfsg-1ubuntu0.3",
"22.0.2+dfsg-1ubuntu0.4",
"22.0.2+dfsg-1ubuntu0.5",
"22.0.2+dfsg-1ubuntu0.6"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2023-45803",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-3651",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2024-47081",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python3-pip",
"binary_version": "24.0+dfsg-1ubuntu1.3"
},
{
"binary_name": "python3-pip-whl",
"binary_version": "24.0+dfsg-1ubuntu1.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "python-pip",
"purl": "pkg:deb/ubuntu/python-pip@24.0+dfsg-1ubuntu1.3?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.0+dfsg-1ubuntu1.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"23.2+dfsg-1",
"23.3+dfsg-1",
"24.0+dfsg-1",
"24.0+dfsg-1ubuntu1",
"24.0+dfsg-1ubuntu1.1",
"24.0+dfsg-1ubuntu1.2"
]
}
],
"aliases": [],
"details": "Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly\nleaked Proxy-Authorization headers. A remote attacker could possibly use\nthis issue to obtain sensitive information. This update addresses the issue\nin the Requests module bundled into pip in Ubuntu 22.04 LTS.\n(CVE-2023-32681)\n\nIt was discovered that urllib3 didn\u0027t strip HTTP body on status code\n303 redirects under certain circumstances. A remote attacker could\npossibly use this issue to obtain sensitive information. This update\naddresses the issue in the urllib3 module bundled into pip in Ubuntu\n24.04 LTS. (CVE-2023-45803)\n\nGuido Vranken discovered that idna did not properly manage certain inputs,\nwhich could lead to significant resource consumption. An attacker could\npossibly use this issue to cause a denial of service. This update addresses\nthe issue in the idna module bundled into pip in Ubuntu 22.04 LTS and\nUbuntu 24.04 LTS. (CVE-2024-3651)\n\nJuho Fors\u00e9n discovered that Requests did not correctly parse URLs. A\nremote attacker could possibly use this issue to leak sensitive\ninformation. This update addresses the issue in the Requests module bundled\ninto pip in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.\n(CVE-2024-47081)",
"id": "USN-7762-1",
"modified": "2026-04-27T14:11:45Z",
"published": "2025-09-23T12:23:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7762-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-32681"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-45803"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-3651"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-47081"
},
{
"type": "REPORT",
"url": "https://launchpad.net/bugs/2031880"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "python-pip vulnerabilities",
"upstream": [
"UBUNTU-CVE-2023-32681",
"UBUNTU-CVE-2023-45803",
"UBUNTU-CVE-2024-3651",
"UBUNTU-CVE-2024-47081"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.