PT-2018-2802 · Python+6 · Urllib3+6
Zockons12
·
Published
2018-03-26
·
Updated
2026-06-03
·
CVE-2018-20060
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
urllib3 versions prior to 1.23
Description
The issue is related to errors in handling registration data in the urllib3 module of the Python programming language. This can allow a remote attacker to disclose protected information. Specifically, urllib3 before version 1.23 does not remove the
Authorization HTTP header when following a cross-origin redirect, which can expose credentials in the Authorization header to unintended hosts or transmit them in cleartext.Recommendations
For versions prior to 1.23, update to version 1.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of the
Authorization header in cross-origin redirects until a patch is available. Avoid using the Authorization header in affected API endpoints until the issue is resolved.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Centos
Red Hat
Rocky Linux
Suse
Ubuntu
Urllib3