Lucene search
K

9 matches found

OSV
OSV
added 2026/06/24 2:0 p.m.4 views

UBUNTU-CVE-2026-11856

Successfully using libcurl to do a transfer to a specific HTTP origin hostA with Digest authentication and then changing the origin to a different one hostB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Authorization: header field meant for hostA, to hostB...

9.8CVSS5.9AI score0.0025EPSS
Exploits0References3
NVD
NVD
added 2026/06/02 8:16 p.m.12 views

CVE-2026-48595

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a...

8.2CVSS0.00396EPSS
Exploits2References4
CNNVD
CNNVD
added 2026/04/18 12:0 a.m.12 views

Async Http Client 安全漏洞

Async Http Client is an open-source Java-based asynchronous HTTP and WebSocket client library developed by AsyncHttpClient. Versions prior to 3.0.9 and 2.14.5 of Async Http Client had security vulnerabilities. These vulnerabilities stemmed from the redirection process, where authorization headers...

6.8CVSS5.8AI score0.00326EPSS
Exploits0References1
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/18 12:0 a.m.28 views

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

8.2CVSS5.9AI score0.00264EPSS
Exploits0References4
CVE
CVE
added 2025/04/24 1:1 p.m.125 views

CVE-2025-46421

The CVE-2025-46421 issue affects the libsoup HTTP client library and causes information disclosure when a libsoup client follows an HTTP redirect: the client may send the Authorization header to the redirected host, enabling potential impersonation. Documented in multiple advisories across distri...

6.8CVSS6.7AI score0.00478EPSS
Exploits0References13
Redos
Redos
added 2025/02/13 12:0 a.m.6 views

ROS-20250212-16

A vulnerability in the Golang programming language is related to the fact that an HTTP client sends an Authorization header to a third-party domain after a chain of redirects in an uncontrolled consumption of resources. Authorization to a third-party domain after a chain of redirects with...

6.1CVSS6.5AI score0.00647EPSS
Exploits0
Cvelist
Cvelist
added 2024/05/20 8:3 a.m.23 views

CVE-2024-1968 Authorization Header Leakage in scrapy/scrapy on Scheme Change Redirects

In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme e.g., HTTPS to HTTP but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in...

7.5CVSS7.1AI score0.00682EPSS
Exploits1References2
OSV
OSV
added 2024/02/15 3:32 p.m.18 views

GHSA-CW9J-Q3VF-HRRV Scrapy authorization header leakage on cross-domain redirect

Impact When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain...

7.5CVSS7.1AI score0.00642EPSS
Exploits1References5
Huntr
Huntr
added 2022/02/12 5:7 p.m.37 views

Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch

Description The Authorization header leaks from same hostname https-http redirect. If https://example.com redirects to http://example.com, then an attacker who can listen in on the wire or perform a MITM attack will be able to receive the Authorization header due to the use of the insecure HTTP...

6.7AI score0.07443EPSS
Exploits2References1
Rows per page
Query Builder