CVE-2018-20060

CRITICAL

urllib3 < 1.23 - Authorization Header Exposure via Cross-Origin Redirect

Title source: llm
STIX 2.1

Description

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

References (12)

Core 12
Core References
Third Party Advisory x_refsource_misc
https://github.com/urllib3/urllib3/issues/1316
Third Party Advisory x_refsource_misc
https://github.com/urllib3/urllib3/pull/1346
Issue Tracking, Mitigation, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1649153
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3990-1/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2272
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

Scores

CVSS v3 9.8
EPSS 0.0066
EPSS Percentile 71.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (5)
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
pypi/urllib3 0 - 1.23PyPI
python/urllib3 < 1.23
Published Dec 11, 2018
Tracked Since Feb 18, 2026