urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
References
Configurations
History
21 Nov 2024, 04:00
Type | Values Removed | Values Added |
---|---|---|
References | () http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html - | |
References | () https://access.redhat.com/errata/RHSA-2019:2272 - | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=1649153 - Issue Tracking, Mitigation, Patch, Third Party Advisory | |
References | () https://github.com/urllib3/urllib3/blob/master/CHANGES.rst - Release Notes, Third Party Advisory | |
References | () https://github.com/urllib3/urllib3/issues/1316 - Third Party Advisory | |
References | () https://github.com/urllib3/urllib3/pull/1346 - Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/ - | |
References | () https://usn.ubuntu.com/3990-1/ - |
07 Nov 2023, 02:56
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-12-11 17:29
Updated : 2024-11-21 04:00
NVD link : CVE-2018-20060
Mitre link : CVE-2018-20060
CVE.ORG link : CVE-2018-20060
JSON object : View
Products Affected
fedoraproject
- fedora
python
- urllib3
CWE