Vulnerability Details : CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Products affected by CVE-2018-20060
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20060
0.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20060
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2018-20060
-
https://github.com/urllib3/urllib3/issues/1316
Auth header remains during redirects · Issue #1316 · urllib3/urllib3 · GitHubThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
[security-announce] openSUSE-SU-2019:2131-1: moderate: Security update f
-
https://github.com/urllib3/urllib3/pull/1346
Remove Authorization header when redirecting cross-host by sethmlarson · Pull Request #1346 · urllib3/urllib3 · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
[SECURITY] Fedora 29 Update: python-urllib3-1.24.2-1.fc29 - package-announce - Fedora mailing-lists
-
https://usn.ubuntu.com/3990-1/
USN-3990-1: urllib3 vulnerabilities | Ubuntu security notices
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
[SECURITY] Fedora 30 Update: python-urllib3-1.24.2-1.fc30 - package-announce - Fedora mailing-lists
-
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
[SECURITY] [DLA 2686-1] python-urllib3 security update
-
https://access.redhat.com/errata/RHSA-2019:2272
RHSA-2019:2272 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
[SECURITY] Fedora 29 Update: python-urllib3-1.24.2-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
[SECURITY] Fedora 30 Update: python-urllib3-1.24.2-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
urllib3/CHANGES.rst at master · urllib3/urllib3 · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
[SECURITY] Fedora 28 Update: python-urllib3-1.24.2-1.fc28 - package-announce - Fedora mailing-lists
-
https://security.netapp.com/advisory/ntap-20241227-0010/
-
https://bugzilla.redhat.com/show_bug.cgi?id=1649153
1649153 – (CVE-2018-20060) CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposureIssue Tracking;Mitigation;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
[SECURITY] Fedora 28 Update: python-urllib3-1.24.2-1.fc28 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
Jump to