PT-2018-2802 · Python+6 · Urllib3+6
Zockons12
·
Publicado
2018-03-26
·
Atualizado
2026-06-03
·
CVE-2018-20060
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
urllib3 versions prior to 1.23
Description
The issue is related to errors in handling registration data in the urllib3 module of the Python programming language. This can allow a remote attacker to disclose protected information. Specifically, urllib3 before version 1.23 does not remove the
Authorization HTTP header when following a cross-origin redirect, which can expose credentials in the Authorization header to unintended hosts or transmit them in cleartext.Recommendations
For versions prior to 1.23, update to version 1.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of the
Authorization header in cross-origin redirects until a patch is available. Avoid using the Authorization header in affected API endpoints until the issue is resolved.Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Ubuntu
Urllib3