Lucene search

K
amazonAmazonALAS2-2020-1413
HistoryApr 20, 2020 - 8:48 p.m.

Medium: python-virtualenv

2020-04-2020:48:00
alas.aws.amazon.com
31
urllib3
python-requests
security vulnerabilities
python-virtualenv
crlf injection
credentials exposure
http header.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.005

Percentile

76.7%

Issue Overview:

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. (CVE-2019-11236)

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected (302) from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker could exploit this flaw to obtain a user’s valid credentials. (CVE-2018-18074)

Affected Packages:

python-virtualenv

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-virtualenv to update your system.

New Packages:

noarch:  
    python-virtualenv-15.1.0-4.amzn2.noarch  
  
src:  
    python-virtualenv-15.1.0-4.amzn2.src  

Additional References

Red Hat: CVE-2018-18074, CVE-2018-20060, CVE-2019-11236

Mitre: CVE-2018-18074, CVE-2018-20060, CVE-2019-11236

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchpython-virtualenv< 15.1.0-4.amzn2python-virtualenv-15.1.0-4.amzn2.noarch.rpm

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.005

Percentile

76.7%