CVE-2018-20060

NameCVE-2018-20060
Descriptionurllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2686-1, ELA-1014-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)jessie, jessie (lts)1.9.1-3+deb8u2fixed
stretch (security)1.19.1-1+deb9u1vulnerable
stretch (lts), stretch1.19.1-1+deb9u2fixed
buster (security), buster, buster (lts)1.24.1-1+deb10u2fixed
bullseye1.26.5-1~exp1fixed
bookworm1.26.12-1fixed
sid, trixie2.0.7-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcejessie1.9.1-3+deb8u2ELA-1014-1
python-urllib3sourcestretch1.19.1-1+deb9u2ELA-1014-1
python-urllib3source(unstable)1.24-1

Notes

[jessie] - python-urllib3 <ignored> (Minor issue)
https://github.com/urllib3/urllib3/issues/1316
https://github.com/urllib3/urllib3/pull/1346
https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c
https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57
https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea
https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522
https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c
https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab
https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f
https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50
https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7
https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94
https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450
https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e
https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532
Fixed upstream in 1.23
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up to avoid CVE-2018-25091)
[wheezy] - python-urllib3 <ignored> (Minor issue)

Search for package or bug name: Reporting problems