urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-12-11T17:00:00

Updated: 2024-08-05T11:51:18.930Z

Reserved: 2018-12-11T00:00:00

Link: CVE-2018-20060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-12-11T17:29:00.380

Modified: 2024-11-21T04:00:49.450

Link: CVE-2018-20060

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-03-26T00:00:00Z

Links: CVE-2018-20060 - Bugzilla