CVE-2023-43804

Advisory

Compliance-trestle 2.4.0 updates its urllib3 dependency to version 1.26.17 due to a vulnerability (CVE-2023-43804). This vulnerability could lead to the unintentional leakage of sensitive information via HTTP redirects to a different origin if the user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
https://github.com/oscal-compass/compliance-trestle/pull/1472/commits/f0ce7047d1b48cc9534b262a5844d52541400d5d

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Feature
* Adding validate template type to author docs command ([1465](https://github.com/IBM/compliance-trestle/issues/1465)) ([`5289f51`](https://github.com/IBM/compliance-trestle/commit/5289f516e9710361e0dc391cefd979b5e2d46ed0))

Fix
* Upgrade urllib version to fix vulnerability ([1472](https://github.com/IBM/compliance-trestle/issues/1472)) ([`e9d4175`](https://github.com/IBM/compliance-trestle/commit/e9d4175fabd015ada6e8cdd26450c454ad83fbe8))
* Improve bad property error message by including csv row number ([1466](https://github.com/IBM/compliance-trestle/issues/1466)) ([`ab97beb`](https://github.com/IBM/compliance-trestle/commit/ab97beb2367112e9e68fb258af6dc2c75d909279))
* Cryptic error message + feat: indicates comment column ([1459](https://github.com/IBM/compliance-trestle/issues/1459)) ([`45eda01`](https://github.com/IBM/compliance-trestle/commit/45eda015751d2f9121e14fe609b14acd890440fd))
* Update community call information ([1444](https://github.com/IBM/compliance-trestle/issues/1444)) ([`5a03d06`](https://github.com/IBM/compliance-trestle/commit/5a03d06783fff8db4bf402b1e21acb99fd485454))

Documentation
* Updating vtt documentation for trestle author docs ([1471](https://github.com/IBM/compliance-trestle/issues/1471)) ([`63d436a`](https://github.com/IBM/compliance-trestle/commit/63d436a7752e50ef0c52c93cbab36f4c1fc16748))

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43804