CVE-2018-20060 — CRITICAL (9.8)

Q: How severe is CVE-2018-20060?

CVE-2018-20060 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-20060?

Check the references section above for vendor advisories and patch information. Affected products include: Python Urllib3, Fedoraproject Fedora.

Vulnerability Description

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Python	Urllib3	< 1.23
Fedoraproject	Fedora	28

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
https://access.redhat.com/errata/RHSA-2019:2272
https://bugzilla.redhat.com/show_bug.cgi?id=1649153Issue TrackingMitigationPatch
https://github.com/urllib3/urllib3/blob/master/CHANGES.rstRelease NotesThird Party Advisory
https://github.com/urllib3/urllib3/issues/1316Third Party Advisory
https://github.com/urllib3/urllib3/pull/1346Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://usn.ubuntu.com/3990-1/
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
https://access.redhat.com/errata/RHSA-2019:2272
https://bugzilla.redhat.com/show_bug.cgi?id=1649153Issue TrackingMitigationPatch
https://github.com/urllib3/urllib3/blob/master/CHANGES.rstRelease NotesThird Party Advisory

FAQ

What is CVE-2018-20060?

CVE-2018-20060 is a vulnerability with a CVSS score of 9.8 (CRITICAL). urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credential...

How severe is CVE-2018-20060?

CVE-2018-20060 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-20060?

Check the references section above for vendor advisories and patch information. Affected products include: Python Urllib3, Fedoraproject Fedora.