CVE-2018-20060

CWE-522Insufficiently Protected CredentialsCWE-200Information ExposureCWE-601Open Redirect21 documents8 sources
Severity
9.8CRITICAL
EPSS
0.4%
top 37.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python Urllib3Fedoraproject Fedora
Timeline
PublishedDec 11
Latest updateOct 15

Description

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

PyPIurllib3< 1.23
NVDpython/urllib3< 1.23
Debianpython-urllib3< 1.24-1+3
Ubuntupython-urllib3< 1.13.1-2ubuntu0.16.04.3+1

Also affects: Fedora 28, 29, 30

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

6
GHSA
Authorization Header forwarded on redirect2023-10-15
OSV
python-urllib3 vulnerabilities2019-05-21
OSV
Exposure of Sensitive Information to an Unauthorized Actor in urllib32018-12-12
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in urllib32018-12-12
CVEList
CVE-2018-20060: urllib3 before version 12018-12-11

📋Vendor Advisories

3
Ubuntu
urllib3 vulnerabilities2019-05-21
Red Hat
python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure2018-03-26
Debian
CVE-2018-20060: python-urllib3 - urllib3 before version 1.23 does not remove the Authorization HTTP header when f...2018

💬Community

11
Bugzilla
CVE-2018-20060 python-virtualenv: python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure [epel-6]2019-11-29
Bugzilla
CVE-2018-20060 python-virtualenv: python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure [fedora-30]2019-11-29
Bugzilla
CVE-2018-20060 python3-virtualenv: python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure [epel-7]2019-11-29
Bugzilla
CVE-2018-20060 python-pip: python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure [epel-6]2019-11-20
Bugzilla
CVE-2018-20060 python-pip-epel: python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure [epel-7]2019-11-20
CVE-2018-20060 (CRITICAL CVSS 9.8) | urllib3 before version 1.23 does no | cvebase.io