ASA-202205-1 log raw

[ASA-202205-1] python-httpx: access restriction bypass
Arch Linux Security Advisory ASA-202205-1 ========================================= Severity: Critical Date : 2022-05-16 CVE-ID : CVE-2021-41945 Package : python-httpx Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-2718 Summary ======= The package python-httpx before version 0.22.0-2 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 0.22.0-2. # pacman -Syu "python-httpx>=0.22.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A vulnerability was found in the `httpx.URL`, `httpx.Client`and `httpx.URL.copy_with' functions of the python-httpx package allowing an attacker to bypass access restrictions. Impact ====== An attacker can access sensitive information using a maliciously crafted HTTP request. References ========== https://github.com/archlinux/svntogit-community/commit/6bc11df9ae9b7644e58a54bdfd706720a2f952bc https://gist.github.com/lebr0nli/4edb76bbd3b5ff993cf44f2fbce5e571 https://github.com/advisories/GHSA-h8pj-cxx2-jfg2 https://github.com/encode/httpx/discussions/1831 https://github.com/encode/httpx/issues/2184 https://github.com/encode/httpx/pull/2185 https://security.archlinux.org/CVE-2021-41945