CVE-2018-20060
python-urllib3 - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.66%
Description
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
How to fix CVE-2018-20060
To remediate CVE-2018-20060, upgrade the affected package to a fixed version below.
- —upgrade to 1.24-1 or later
- —upgrade to 1.19.1-1+deb9u1 or later
- —upgrade to 1.23 or later
- —upgrade to 1.23 or later
Is CVE-2018-20060 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.24-1
- from 0, < 1.19.1-1+deb9u1
- from 0, < 1.23
- from 0, < 1.23
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |