Exposure of Sensitive Information to an Unauthorized Actor in urllib3
Critical severity
GitHub Reviewed
Published
Dec 12, 2018
to the GitHub Advisory Database
•
Updated Dec 27, 2024
Description
Published by the National Vulnerability Database
Dec 11, 2018
Published to the GitHub Advisory Database
Dec 12, 2018
Reviewed
Jun 16, 2020
Last updated
Dec 27, 2024
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
References