CVE-2018-18074

Advisory

Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.


MISC:https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff: https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
MISC:https://github.com/requests/requests/issues/4716: https://github.com/requests/requests/issues/4716
MISC:https://github.com/requests/requests/pull/4718: https://github.com/requests/requests/pull/4718

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
• https://github.com/requests/requests/pull/4718
• https://github.com/requests/requests/issues/4716
• https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
• https://bugs.debian.org/910766
• https://usn.ubuntu.com/3790-1/
• http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
• https://usn.ubuntu.com/3790-2/
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
• https://access.redhat.com/errata/RHSA-2019:2035
• https://www.oracle.com/security-alerts/cpujul2022.html