GHSA-www2-v7xj-xrc6

Source

https://github.com/advisories/GHSA-www2-v7xj-xrc6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-www2-v7xj-xrc6/GHSA-www2-v7xj-xrc6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-www2-v7xj-xrc6

Aliases

Published

2018-12-12T15:52:07Z

Modified

2024-02-22T05:33:03.857215Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor in urllib3

Details

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

References

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23

Affected versions

0.*

0.2

0.3

0.3.1

0.4.0

0.4.1

1.*

1.0

1.0.1

1.0.2

1.1

1.2

1.2.1

1.2.2

1.3

1.4

1.5

1.6

1.7

1.7.1

1.8

1.8.2

1.8.3

1.9

1.9.1

1.10

1.10.1

1.10.2

1.10.3

1.10.4

1.11

1.12

1.13

1.13.1

1.14

1.15

1.15.1

1.16

1.17

1.18

1.18.1

1.19

1.19.1

1.20

1.21

1.21.1

1.22

Ecosystem specific

{
    "affected_functions": [
        "urllib3.poolmanager.PoolManager.urlopen",
        "urllib3.util.retry.Retry",
        "urllib3.util.retry.Retry.__init__",
        "urllib3.util.retry.Retry.new"
    ]
}