urllib3 vulnerability
jbmoorhouse opened this issue Β· comments
Problem
urllib3 vulnerability .Trivy complains about the following version 1.26.11 due to GHSA-v845-jxx5-vc9f. Note the link below currently yields a 404 π .
| Library | Vulnerability | Severity | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|
| urllib3 | CVE-2023-43804 | MEDIUM | 1.26.11 | 2.0.6, 1.26.17 | Cookie HTTP header isn't stripped on cross-origin redirects https://avd.aquasec.com/nvd/cve-2023-43804 |
Anything Else?
It looks like this is being addressed in #3180 Is this close to being in a merge-able state?
Ah I'm also getting hit with this. A speedy result would be much appreciated.
Hi
Any plans to resolve this issue shortly?
Installing this library does not require exactly that version of urllib3:
Lines 12 to 17 in 78439eb
There is nothing the maintainers of this library need to do so downstream projects and applications can use a newer version; requirements.txt is only used for tests.
Yes, as mentioned above, you should be able to use newer, compatible versions of urllib3, the setup.py defines a minimum version.
Regardless, the version in requirements.txt (which is used for tests/development) has been bumped thanks to dependabot in #3183, so hopefully that will eliminate any noise from security scanners.