CVE-2018-25091
Published: 15 October 2023
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Notes
| Author | Note |
|---|---|
| mdeslaur | On focal and earlier, the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required. On jammy and later, python-urllib3 is bundled in the python-pip package and needs to be patched. |
| sbeattie | According to Debian, this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive) |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-urllib3 Launchpad, Ubuntu, Debian |
trusty |
Needs triage
|
| focal |
Not vulnerable
(1.25.8-2ubuntu0.2)
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| mantic |
Not vulnerable
|
|
| upstream |
Released
(1.25.6-4)
|
|
| bionic |
Released
(1.22-1ubuntu0.18.04.2+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| xenial |
Released
(1.13.1-2ubuntu0.16.04.4+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
python-pip Launchpad, Ubuntu, Debian |
trusty |
Needs triage
|
| bionic |
Released
(9.0.1-2.3~ubuntu1.18.04.8+esm2)
Available with Ubuntu Pro |
|
| focal |
Released
(20.0.2-5ubuntu1.10)
|
|
| upstream |
Needs triage
|
|
| jammy |
Released
(22.0.2+dfsg-1ubuntu0.4)
|
|
| lunar |
Released
(23.0.1+dfsg-1ubuntu0.2)
|
|
| mantic |
Released
(23.2+dfsg-1ubuntu0.1)
|
|
| xenial |
Released
(8.1.1-2ubuntu0.6+esm6)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25091
- https://github.com/urllib3/urllib3/issues/1510
- https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2
- https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
- https://ubuntu.com/security/notices/USN-6473-1
- https://ubuntu.com/security/notices/USN-6473-2
- NVD
- Launchpad
- Debian