Fluid Attacks Database

Description

Authorization Header forwarded on redirect urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python-urllib3	>=0 <1.25.6-4	1.25.6-4
pypi	urllib3	>=0 <1.24.2	1.24.2
debian 11	python-urllib3	>=0 <1.25.6-4	1.25.6-4
debian 12	python-urllib3	>=0 <1.25.6-4	1.25.6-4
debian 13	python-urllib3	>=0 <1.25.6-4	1.25.6-4
rpm rhel7	python-pip	-	-
rpm rhel7	resource-agents	-	-
rpm rhel6	python-urllib3	-	-
rpm rhel7	python-s3transfer	-	-
rpm rhel7	python-urllib3	-	-

Aliases

1. CVE-2018-250912. NVD-2018-250913. OSV-DEBIAN-2018-250914. OSV-2018-250915. GCVE-2018-250916. SECURITY-TRACKER-CVE-2018-25091

References

1. https://github.com/urllib3/urllib3/issues/15102. https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc3. https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml4. https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.