EIQ-2018-0011



ID

EIQ-2018-0011

CVE

CVE-2018-20060

Description

Cross-host redirect does not remove the Authorization HTTP header

Date

12 Dec 2018

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

images/s/en_GB/7701/d7b403a44466e5e8970db7530201039d865e79e1/_/images/icons/emoticons/check.svg 2.3.2

Assessment

urllib3 HTTP client versions that are earlier than 1.23 do not remove the Authorization HTTP header when following a cross-origin redirect – a redirect with a different host, port, or scheme.

Credentials in the Authorization header may become exposed to unintended hosts or be transmitted in clear text.

Mitigation

-

Affected versions

2.3.1 and earlier.

Notes

-

< Back to all security issues and mitigation actions