EIQ-2018-0011
ID |
EIQ-2018-0011 |
CVE |
|
Description |
Cross-host redirect does not remove the Authorization HTTP header |
Date |
12 Dec 2018 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.8 |
Status |
2.3.2 |
Assessment |
urllib3 HTTP client versions that are earlier than 1.23 do not remove the Authorization HTTP header when following a cross-origin redirect – a redirect with a different host, port, or scheme. Credentials in the Authorization header may become exposed to unintended hosts or be transmitted in clear text. |
Mitigation |
- |
Affected versions |
2.3.1 and earlier. |
Notes |
- |