CVE-2018-20060
Description
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.434
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2018-20060 are fixed in Python-urllib3 1.23 | Windows |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python-urllib3_1.24.1-1ubuntu0.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python-urllib3_1.22-1ubuntu0.18.04.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python-urllib3_1.22-1ubuntu0.18.10.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python-urllib3_1.13.1-2ubuntu0.16.04.3_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python3-urllib3_1.24.1-1ubuntu0.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python3-urllib3_1.22-1ubuntu0.18.04.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python3-urllib3_1.22-1ubuntu0.18.10.1_all.deb | Linux |
| HTTP library with thread-safe connection pooling for Python (USN-3990-1) python3-urllib3_1.13.1-2ubuntu0.16.04.3_all.deb | Linux |
| (RHSA-2020:0850) python-pip security update python3-pip-9.0.3-7.el7_7.noarch.rpm | Linux |
| (RHSA-2020:2081) python-virtualenv security update python-virtualenv-15.1.0-4.el7_8.noarch.rpm | Linux |
| (RHSA-2020:2068) python-pip security update python3-pip-9.0.3-7.el7_8.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update Cython-debugsource-0.28.1-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update PyYAML-debugsource-3.12-16.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update babel-2.5.1-9.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update numpy-debugsource-1.14.2-13.module+el8.1.0+3323+7ac3e00f.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-coverage-debugsource-4.5.1-4.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-lxml-debugsource-4.2.3-3.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-nose-docs-1.3.7-30.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-psycopg2-debugsource-2.7.5-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-psycopg2-doc-2.7.5-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-pymongo-debugsource-3.6.1-11.module+el8.1.0+3446+c3d52da3.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python-sqlalchemy-doc-1.3.2-1.module+el8.1.0+2994+98e054d6.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-Cython-0.28.1-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-PyMySQL-0.8.0-10.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-attrs-17.4.0-10.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-babel-2.5.1-9.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-backports-1.0-15.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-backports-ssl_match_hostname-3.5.0.1-11.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-bson-3.6.1-11.module+el8.1.0+3446+c3d52da3.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-chardet-3.0.4-10.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-coverage-4.5.1-4.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-debug-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-debugsource-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-devel-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-dns-1.15.0-10.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-docs-2.7.16-2.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-docs-info-2.7.16-2.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-docutils-0.14-12.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-funcsigs-1.0.2-13.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-idna-2.5-7.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-ipaddress-1.0.18-6.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-jinja2-2.10-8.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-libs-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-lxml-4.2.3-3.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-markupsafe-0.23-19.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-mock-2.0.0-13.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-nose-1.3.7-30.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-numpy-1.14.2-13.module+el8.1.0+3323+7ac3e00f.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-numpy-doc-1.14.2-13.module+el8.1.0+3323+7ac3e00f.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-numpy-f2py-1.14.2-13.module+el8.1.0+3323+7ac3e00f.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pip-9.0.3-16.module+el8.2.0+5478+b505947e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pip-wheel-9.0.3-16.module+el8.2.0+5478+b505947e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pluggy-0.6.0-8.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-psycopg2-2.7.5-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-psycopg2-debug-2.7.5-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-psycopg2-tests-2.7.5-7.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-py-1.5.3-6.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pygments-2.2.0-20.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pymongo-3.6.1-11.module+el8.1.0+3446+c3d52da3.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pymongo-gridfs-3.6.1-11.module+el8.1.0+3446+c3d52da3.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pysocks-1.6.8-6.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pytest-3.4.2-13.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pytest-mock-1.9.0-4.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pytz-2017.2-12.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-pyyaml-3.12-16.module+el8.1.0+3111+de3f2d8e.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-requests-2.20.0-3.module+el8.2.0+4577+feefd9b8.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-rpm-macros-3-38.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-scipy-1.0.0-20.module+el8.1.0+3323+7ac3e00f.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-setuptools-39.0.1-11.module+el8.1.0+3446+c3d52da3.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-setuptools-wheel-39.0.1-11.module+el8.1.0+3446+c3d52da3.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-setuptools_scm-1.15.7-6.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-six-1.11.0-5.module+el8.1.0+3111+de3f2d8e.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-sqlalchemy-1.3.2-1.module+el8.1.0+2994+98e054d6.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-test-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-tkinter-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-tools-2.7.17-1.module+el8.2.0+4561+f4e0d66a.x86_64.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-urllib3-1.24.2-1.module+el8.1.0+3280+19512f10.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-virtualenv-15.1.0-19.module+el8.1.0+3507+d69c168d.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-wheel-0.31.1-2.module+el8.1.0+3725+aac5cd17.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update python2-wheel-wheel-0.31.1-2.module+el8.1.0+3725+aac5cd17.noarch.rpm | Linux |
| (RHSA-2020:1605) python27:2.7 security, bug fix, and enhancement update scipy-debugsource-1.0.0-20.module+el8.1.0+3323+7ac3e00f.x86_64.rpm | Linux |
| (RHSA-2020:1916) python-pip security update platform-python-pip-9.0.3-16.el8.noarch.rpm | Linux |
| (RHSA-2020:1916) python-pip security update python3-pip-9.0.3-16.el8.noarch.rpm | Linux |
| (RHSA-2020:1916) python-pip security update python3-pip-wheel-9.0.3-16.el8.noarch.rpm | Linux |
| Python3-pip update (ELSA-2020-0850) python3-pip-9.0.3-7.el7_7.noarch.rpm | Linux |
| Python-virtualenv update (ELSA-2020-0851) python-virtualenv-15.1.0-4.el7_7.noarch.rpm | Linux |
| (CESA-2020:1916) python-pip security update platform-python-pip-9.0.3-16.el8.noarch.rpm | Linux |
| (CESA-2020:1916) python-pip security update python3-pip-9.0.3-16.el8.noarch.rpm | Linux |
| (CESA-2020:1916) python-pip security update python3-pip-wheel-9.0.3-16.el8.noarch.rpm | Linux |
| python-virtualenv Security Update (ALAS-2020-1413) python-virtualenv-15.1.0-4.amzn2.noarch.rpm | Linux |
| Vulnerabilities CVE-2018-20060 are fixed in Python-urllib3 for linux 1.23 | Linux |
| CVE-2018-20060 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234