CVE-2018-20060

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Database specific

{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "28"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "29"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "30"
                }
            ]
        }
    ]
}

References

Affected packages

Git / github.com/urllib3/urllib3

Affected ranges

Type

GIT

Repo

https://github.com/urllib3/urllib3

Events

Introduced

Fixed

7c216f433e39e184b84cbfa49e41135a89e4baa0

Database specific

{
    "cpe": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.23"
        }
    ]
}

Affected versions

0.*

0.3

0.3.1

0.4

0.4.1

1.*

1.1

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.18

1.19

1.2

1.2.1

1.20

1.21

1.21.1

1.22

1.3

1.4

1.5

1.6

1.7

1.7.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20060.json"