Lucene search

K

[email protected]NVD:CVE-2018-25091

HistoryOct 15, 2023 - 7:15 p.m.

CVE-2018-25091

2023-10-1519:15:09

CWE-601

[email protected]

web.nvd.nist.gov

3

urllib3

cve-2018-25091

authorization header

cross-origin redirect

credentials exposure

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.8%

urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).

Affected configurations

NVD

Node

pythonurllib3Range<1.24.2

References

github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc

github.com/urllib3/urllib3/compare/1.24.1...1.24.2

github.com/urllib3/urllib3/issues/1510

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.8%

Related for NVD:CVE-2018-25091