HCE2-SA-2024-0257 Moderate HCE 2.0 Security Fix(es): urllib3 is a user-friendly HTTP client library for Python. When using urllib3_x27;s proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3_x27;s proxy support, it_x27;s possible to accidentally configure the `Proxy-Authorization` header even though it won_x27;t have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn_x27;t treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn_x27;t strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3_x27;s proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren_x27;t using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3_x27;s built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3_x27;s `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. (CVE-2024-37891) HCE 2.0 python3-urllib3-1.26.7-2.r8.hce2.noarch.rpm