Описание
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Отчет
Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.
Меры по смягчению последствий
Use retries=urllib3.Retry(redirect=0) when performing requests if you do not need redirection and handle the redirects manually if you need them.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python-urllib3 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python-virtualenv | Not affected | ||
| Red Hat Enterprise Linux 8 | python-urllib3 | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | python-urllib3 | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.11 | python-urllib3 | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | python-urllib3 | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.7 | python-urllib3 | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.9 | python-urllib3 | Fix deferred | ||
| Red Hat OpenStack Platform 10 (Newton) | python-urllib3 | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | python-urllib3 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
urllib3 before version 1.23 does not remove the Authorization HTTP hea ...
Exposure of Sensitive Information to an Unauthorized Actor in urllib3
Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с ошибками управления регистрационными данными, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
5.3 Medium
CVSS3