DEBIAN-CVE-2018-20060

DEBIAN-CVE-2018-20060 PUBLISHED CVSS 9.800000190734863 CRITICAL

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Risk Scores

CVSS v3.0

9.800000190734863

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:14	python-urllib3	0, 0, 0
Debian:12	python-urllib3	0, 0, 0
Debian:13	python-urllib3	0, 0, 0
Debian:11	python-urllib3	0, 0, 0

Timeline

Dec 11, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2018-20060 advisory

Open in Interactive Console →