EIQ-2018-0011#

ID

EIQ-2018-0011

CVE

CVE-2018-20060

Description

Cross-host redirect does not remove the Authorization HTTP header

Date

12 Dec 2018

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

✅ 2.3.2

Assessment

urllib3 HTTP client versions that are earlier than 1.23 do not remove the Authorization HTTP header when following a cross-origin redirect – a redirect with a different host, port, or scheme.

Credentials in the Authorization header may become exposed to unintended hosts or be transmitted in clear text.

Mitigation

-

Affected versions

2.3.1 and earlier.

Notes

-