urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
References
Configurations
History
07 Nov 2023, 02:56
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-12-11 17:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-20060
Mitre link : CVE-2018-20060
CVE.ORG link : CVE-2018-20060
JSON object : View
Products Affected
fedoraproject
- fedora
python
- urllib3
CWE