CVE-2018-25091

Name	CVE-2018-25091
Description	urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3610-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-urllib3 (PTS)	bullseye	1.26.5-1~exp1	fixed
	bookworm	1.26.12-1	fixed
	sid, trixie	2.0.7-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-urllib3	source	buster	1.24.1-1+deb10u1		DLA-3610-1
python-urllib3	source	(unstable)	1.25.6-4

Notes

https://github.com/urllib3/urllib3/issues/1510
This issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.25)