HTTP Authorization Header Exposure in Ktor Client Software
CVE-2019-19703

6.1MEDIUM

Key Information:

Vendor: Jetbrains
Status: Ktor
Vendor: CVE Published:; 10 December 2019

Summary

In Ktor versions up to 1.2.6, an issue exists where the client improperly handles HTTP redirects by resending sensitive data from the HTTP Authorization header to the redirected URL. This behavior could potentially expose user credentials or sensitive authentication tokens to unintended recipients, posing a significant security risk. Affected users should upgrade to the latest version to avoid the vulnerabilities associated with this behavior.

References

https://github.com/ktorio/ktor/issues/1467

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 10, 2019
Vulnerability Reserved
Dec 10, 2019