VDB

ALPINE-CVE-2023-43804

ALPINE-CVE-2023-43804 PUBLISHED CVSS 8.100000381469727 HIGH

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Products

VendorProductVersions
Alpine:v3.18py3-urllib31.26.9-r0, 1.26.9-r0, 1.26.8-r0
Alpine:v3.15py3-urllib31.18-r0, 1.26.7-r0, 1.26.6-r0
Alpine:v3.16py3-urllib30, 1.25.6-r0, 1.25.8-r0
Alpine:v3.19py3-urllib31.26.12-r1, 1.26.12-r0, 1.26.11-r0
Alpine:v3.23py3-urllib31.26.11-r0, 0, 1.21.1-r0
Alpine:v3.17py3-urllib31.26.1-r0, 1.26.0-r0, 1.25.9-r0
Alpine:v3.22py3-urllib31.21.1-r0, 1.26.12-r0, 1.26.12-r1
Alpine:v3.21py3-urllib31.21.1-r0, 1.25.6-r0, 1.25.6-r1
Alpine:v3.20py3-urllib31.26.9-r0, 1.26.0-r0, 1.26.1-r0

Timeline

  • Oct 4, 2023 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›