Alpaquita LinuxStreamSecurity Advisory
Search Cve

CVE-2018-25091

Published: October 15, 2023Last modified: October 16, 2023

Description

urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).

Severity score breakdown

ParameterValue
Base score6.1
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeCHANGED
ConfidentialityLOW
Integrity impactLOW
Availability impactNONE
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSpy3-urllib3Not affected (1.26.12-r1)
Streampy3-urllib3Not affected (1.26.16-r0)

References

ON THIS PAGE