CVE-2018-25091

NameCVE-2018-25091
Descriptionurllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3610-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)bullseye1.26.5-1~exp1fixed
bookworm1.26.12-1fixed
sid, trixie2.2.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcebuster1.24.1-1+deb10u1DLA-3610-1
python-urllib3source(unstable)1.25.6-4

Notes

https://github.com/urllib3/urllib3/issues/1510
This issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.25)

Search for package or bug name: Reporting problems