Authorization Header Exposure in Urllib3 by Python Software Foundation
CVE-2018-20060

9.8CRITICAL

Key Information:

Vendor
Python
Status
Urllib3
Vendor
CVE Published:
11 December 2018

Summary

Urllib3 versions prior to 1.23 are susceptible to a security vulnerability where the Authorization HTTP header is not removed when a cross-origin redirect occurs. This flaw can result in sensitive credentials being unintentionally sent to third-party servers, potentially compromising user data and privacy. Applications using affected versions of Urllib3 should be updated promptly to prevent such exposures. Responsible management of authentication headers is critical to ensure the security of web applications.

References

https://github.com/urllib3/urllib3/issues/1316
x_refsource_MISC
https://github.com/urllib3/urllib3/pull/1346
x_refsource_MISC
https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.