Описание
Insufficiently Protected Credentials in Requests
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-18074
- https://github.com/requests/requests/issues/4716
- https://github.com/requests/requests/pull/4718
- https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
- https://access.redhat.com/errata/RHSA-2019:2035
- https://bugs.debian.org/910766
- https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
- https://usn.ubuntu.com/3790-1
- https://usn.ubuntu.com/3790-2
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
Пакеты
requests
<= 2.19.1
2.20.0
Связанные уязвимости
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
The Requests package before 2.20.0 for Python sends an HTTP Authorizat ...
