CVE-2018-25091
Summary
| CVE | CVE-2018-25091 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-15 19:15:00 UTC |
| Updated | 2023-10-19 14:01:00 UTC |
| Description | urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). |
Risk And Classification
Problem Types: CWE-601
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Remove Authorization headers regardless of case on cross-origin redir… · urllib3/urllib3@adb358f · GitHub | MISC | github.com | |
| Comparing 1.24.1...1.24.2 · urllib3/urllib3 · GitHub | MISC | github.com | |
| authorization header be forwarded to cross-site when redirecting · Issue #1510 · urllib3/urllib3 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 199896 Ubuntu Security Notification for pip Vulnerabilities (USN-6473-2)
- 199914 Ubuntu Security Notification for urllib3 Vulnerabilities (USN-6473-1)
- 6000046 Debian Security Update for python-urllib3 (DLA 3610-1)
- 673698 EulerOS Security Update for python-pip (EulerOS-SA-2024-1295)
- 673753 EulerOS Security Update for python-urllib3 (EulerOS-SA-2024-1296)
- 995613 Python (Pip) Security Update for urllib3 (GHSA-gwvm-45gx-3cf8)