EIQ-2018-0011
|
ID |
EIQ-2018-0011 |
|
CVE |
|
|
Description |
Cross-host redirect does not remove the Authorization HTTP header |
|
Date |
12 Dec 2018 |
|
Severity |
4 - CRITICAL |
|
CVSSv3 score |
9.8 |
|
Status |
|
|
Assessment |
urllib3 HTTP client versions that are earlier than 1.23 do not remove the Authorization HTTP header when following a cross-origin redirect – a redirect with a different host, port, or scheme. Credentials in the Authorization header may become exposed to unintended hosts or be transmitted in clear text. |
|
Mitigation |
- |
|
Affected versions |
2.3.1 and earlier. |
|
Notes |
- |
2.3.2