Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-20060

Опубликовано: 11 дек. 2018
Источник: debian
EPSS Низкий

Описание

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python-urllib3fixed1.24-1package
python-urllib3ignoredjessiepackage

Примечания

  • https://github.com/urllib3/urllib3/issues/1316

  • https://github.com/urllib3/urllib3/pull/1346

  • https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c

  • https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57

  • https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea

  • https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522

  • https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c

  • https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab

  • https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f

  • https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50

  • https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7

  • https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94

  • https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450

  • https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e

  • https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532

  • Fixed upstream in 1.23

  • https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up to avoid CVE-2018-25091)

EPSS

Процентиль: 64%
0.00481
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2018-20060

CVSS3: 9.8
ubuntu
больше 6 лет назад

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

redhat логотип

CVE-2018-20060

CVSS3: 5.3
redhat
около 7 лет назад

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

nvd логотип

CVE-2018-20060

CVSS3: 9.8
nvd
больше 6 лет назад

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

github логотип

GHSA-www2-v7xj-xrc6

CVSS3: 9.8
github
больше 6 лет назад

Exposure of Sensitive Information to an Unauthorized Actor in urllib3

fstec логотип

BDU:2019-02104

CVSS3: 9.8
fstec
около 6 лет назад

Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с ошибками управления регистрационными данными, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 64%
0.00481
Низкий