Back to search
CVE-2018-20060
Published: Dec 11, 2018
Modified: Dec 27, 2024
PUBLISHED
Description
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/urllib3/urllib3/issues/1316
x_refsource_MISC
https://github.com/urllib3/urllib3/pull/1346
x_refsource_MISC
https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=1649153
x_refsource_MISC
FEDORA-2019-a6c56f9756
vendor-advisory
x_refsource_FEDORA
FEDORA-2019-6afaa38e7b
vendor-advisory
x_refsource_FEDORA
FEDORA-2019-8560719e80
vendor-advisory
x_refsource_FEDORA
USN-3990-1
vendor-advisory
x_refsource_UBUNTU
RHSA-2019:2272
vendor-advisory
x_refsource_REDHAT
openSUSE-SU-2019:2131
vendor-advisory
x_refsource_SUSE
[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now