Fluid Attacks Database

Description

Exposure of Sensitive Information to an Unauthorized Actor in urllib3 urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python-urllib3	>=0 <1.24-1	1.24-1
debian 13	python-urllib3	>=0 <1.24-1	1.24-1
pypi	urllib3	>=0 <1.23	1.23
debian 11	python-urllib3	>=0 <1.24-1	1.24-1
debian 12	python-urllib3	>=0 <1.24-1	1.24-1
rpm rhel7	python-virtualenv	<0:15.1.0-4.el7_8	0:15.1.0-4.el7_8
rpm rhel7	python-urllib3	<0:1.10.2-7.el7	0:1.10.2-7.el7
rpm rhel7	python-pip	<0:9.0.3-7.el7_8	0:9.0.3-7.el7_8
rpm rhel8	python-pip	<0:9.0.3-16.el8	0:9.0.3-16.el8
rpm rhel6	python-urllib3	-	-

Aliases

1. CVE-2018-200602. NVD-2018-200603. OSV-DEBIAN-2018-200604. OSV-2018-200605. GCVE-2018-200606. SECURITY-TRACKER-CVE-2018-200607. lists.debian.org8. access.redhat.com

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.