CVE-2018-20060

Priority
Description
urllib3 before version 1.23 does not remove the Authorization HTTP header
when following a cross-origin redirect (i.e., a redirect that differs in
host, port, or scheme). This can allow for credentials in the Authorization
header to be exposed to unintended hosts or transmitted in cleartext.
Assigned-to
mdeslaur
Package
Upstream:released (1.24-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (1.13.1-2ubuntu0.16.04.3)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.22-1ubuntu0.18.04.1)
Ubuntu 18.10 (Cosmic Cuttlefish):released (1.22-1ubuntu0.18.10.1)
Ubuntu 19.04 (Disco Dingo):not-affected (1.24-1)
Ubuntu 19.10 (Eoan):not-affected (1.24-1)
Patches:
Upstream:https://github.com/urllib3/urllib3/pull/1346
Upstream:https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c
Upstream:https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57
Upstream:https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea
Upstream:https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522
Upstream:https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c
Upstream:https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab
Upstream:https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f
Upstream:https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50
Upstream:https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7
Upstream:https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94
Upstream:https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450
Upstream:https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e
More Information

Updated: 2019-05-21 14:14:20 UTC (commit 77e0de274d16a6d571b53c3889e93bc19d1a8d15)