Safety vulnerability ID: 36541
The information on this page was manually curated by our Cybersecurity Intelligence Team.
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Latest version: 2.2.3
HTTP library with thread-safe connection pooling, file post, and more.
-----------------
* Allow providing a list of headers to strip from requests when redirecting
to a different host. Defaults to the ``Authorization`` header. Different
headers can be set via ``Retry.remove_headers_on_redirect``. (Issue 1316)
* Fix ``util.selectors._fileobj_to_fd`` to accept ``long`` (Issue 1247).
* Dropped Python 3.3 support. (Pull 1242)
* Put the connection back in the pool when calling stream() or read_chunked() on
a chunked HEAD response. (Issue 1234)
* Fixed pyOpenSSL-specific ssl client authentication issue when clients
attempted to auth via certificate + chain (Issue 1060)
* Add the port to the connectionpool connect print (Pull 1251)
* Don't use the ``uuid`` module to create multipart data boundaries. (Pull 1380)
* ``read_chunked()`` on a closed response returns no chunks. (Issue 1088)
* Add Python 2.6 support to ``contrib.securetransport`` (Pull 1359)
* Added support for auth info in url for SOCKS proxy (Pull 1363)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application