Pythong monday-code dependency on urllib3

Hello,

The monday-code pypi lib is dependend on urllib <2.1.0

However, there is a CVS associated.
Can you increase the version dependency.

From safety

→ Vulnerability found in urllib3 version 2.0.7
Vulnerability ID: 71608
Affected spec: >=2.0.0a1,<=2.2.1
ADVISORY: Urllib3’s ProxyManager ensures that the Proxy-Authorization header is correctly directed only to configured proxies. However, when HTTP requests bypass urllib3’s proxy support, there’s a risk of inadvertently setting the Proxy-
Authorization header, which remains ineffective without a forwarding or tunneling proxy. Urllib3 does not recognize this header as carrying authentication data, failing to remove it during cross-origin redirects. While this scenario is uncommon and
poses low risk to most users, urllib3 now proactively removes the Proxy-Authorization header during cross-origin redirects as a precautionary measure. Users are advised to utilize urllib3’s proxy support or disable automatic redirects to handle the
Proxy-Authorization header securely. Despite these precautions, urllib3 defaults to stripping the header to safeguard users who may inadvertently misconfigure requests.
CVE-2024-37891
For more information about this vulnerability, visit CVE-2024-37891 - Urllib3 Vulnerability - Safety #71608
To ignore this vulnerability, use PyUp vulnerability id 71608 in safety’s ignore command-line argument or add the ignore to your safety policy file.

Hello there @jem.rayfield,

Would you be able to please fill this form adding as much information as possible to it so that our team can take a look into it? We need this to be in our system to create a request for our team from there.

I think this is enough information if I am honest. The CVE itself the URL gives you all the details on the vulnerability itself.

Hello again @jem.rayfield,

I see that you created a request for us and our team is checking this!

Thank you for that :smile:

1 Like