Vulnerability Details CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 5.0
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- https://access.redhat.com/errata/RHSA-2019:2272
- https://bugzilla.redhat.com/show_bug.cgi?id=1649153
- https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
- https://github.com/urllib3/urllib3/issues/1316
- https://github.com/urllib3/urllib3/pull/1346
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
- https://usn.ubuntu.com/3990-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- https://access.redhat.com/errata/RHSA-2019:2272
- https://bugzilla.redhat.com/show_bug.cgi?id=1649153
- https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
- https://github.com/urllib3/urllib3/issues/1316
- https://github.com/urllib3/urllib3/pull/1346
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
- https://security.netapp.com/advisory/ntap-20241227-0010/
- https://usn.ubuntu.com/3990-1/
Products affected by CVE-2018-20060
-
cpe:2.3:a:python:urllib3:0.3
-
cpe:2.3:a:python:urllib3:0.3.1
-
cpe:2.3:a:python:urllib3:0.4
-
cpe:2.3:a:python:urllib3:0.4.1
-
cpe:2.3:a:python:urllib3:1.0
-
cpe:2.3:a:python:urllib3:1.0.1
-
cpe:2.3:a:python:urllib3:1.0.2
-
cpe:2.3:a:python:urllib3:1.1
-
cpe:2.3:a:python:urllib3:1.10
-
cpe:2.3:a:python:urllib3:1.10.1
-
cpe:2.3:a:python:urllib3:1.10.2
-
cpe:2.3:a:python:urllib3:1.10.3
-
cpe:2.3:a:python:urllib3:1.10.4
-
cpe:2.3:a:python:urllib3:1.11
-
cpe:2.3:a:python:urllib3:1.12
-
cpe:2.3:a:python:urllib3:1.13
-
cpe:2.3:a:python:urllib3:1.13.1
-
cpe:2.3:a:python:urllib3:1.14
-
cpe:2.3:a:python:urllib3:1.15
-
cpe:2.3:a:python:urllib3:1.15.1
-
cpe:2.3:a:python:urllib3:1.16
-
cpe:2.3:a:python:urllib3:1.17
-
cpe:2.3:a:python:urllib3:1.18
-
cpe:2.3:a:python:urllib3:1.18.1
-
cpe:2.3:a:python:urllib3:1.19
-
cpe:2.3:a:python:urllib3:1.19.1
-
cpe:2.3:a:python:urllib3:1.2
-
cpe:2.3:a:python:urllib3:1.2.1
-
cpe:2.3:a:python:urllib3:1.20
-
cpe:2.3:a:python:urllib3:1.21
-
cpe:2.3:a:python:urllib3:1.21.1
-
cpe:2.3:a:python:urllib3:1.22
-
cpe:2.3:a:python:urllib3:1.3
-
cpe:2.3:a:python:urllib3:1.4
-
cpe:2.3:a:python:urllib3:1.5
-
cpe:2.3:a:python:urllib3:1.6
-
cpe:2.3:a:python:urllib3:1.7
-
cpe:2.3:a:python:urllib3:1.7.1
-
cpe:2.3:a:python:urllib3:1.8
-
cpe:2.3:a:python:urllib3:1.8.1
-
cpe:2.3:a:python:urllib3:1.8.2
-
cpe:2.3:a:python:urllib3:1.8.3
-
cpe:2.3:a:python:urllib3:1.9
-
cpe:2.3:a:python:urllib3:1.9.1
-
cpe:2.3:o:fedoraproject:fedora:28
-
cpe:2.3:o:fedoraproject:fedora:29
-
cpe:2.3:o:fedoraproject:fedora:30