Описание
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support |
| devel | needs-triage | |
| esm-apps/bionic | released | 9.0.1-2.3~ubuntu1.18.04.8+esm2 |
| esm-apps/focal | released | 20.0.2-5ubuntu1.10 |
| esm-apps/jammy | released | 22.0.2+dfsg-1ubuntu0.4 |
| esm-apps/noble | needs-triage | |
| esm-apps/xenial | released | 8.1.1-2ubuntu0.6+esm6 |
| esm-infra-legacy/trusty | needs-triage | |
| focal | released | 20.0.2-5ubuntu1.10 |
| jammy | released | 22.0.2+dfsg-1ubuntu0.4 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support |
| devel | not-affected | |
| esm-infra-legacy/trusty | needs-triage | |
| esm-infra/bionic | released | 1.22-1ubuntu0.18.04.2+esm1 |
| esm-infra/focal | not-affected | 1.25.8-2ubuntu0.2 |
| esm-infra/xenial | released | 1.13.1-2ubuntu0.16.04.4+esm1 |
| focal | not-affected | 1.25.8-2ubuntu0.2 |
| jammy | not-affected | |
| lunar | not-affected | |
| mantic | not-affected |
Показывать по
Ссылки на источники
6.1 Medium
CVSS3
Связанные уязвимости
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
urllib3 before 1.24.2 does not remove the authorization HTTP header wh ...
Уязвимость HTTP библиотеки для Python Urllib3, связанная с использованием открытой переадресации, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность
6.1 Medium
CVSS3