CVE-2018-18074: python-requests package may reveal credentials
Bug #1801798 reported by
Ken Young
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Ghada Khalil |
Bug Description
Title
-----
CVE-2018-18074: requests package may reveal credentials
Brief Description
-----------------
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
This potential issue was identified by spec file requirement scanning in git hub. The email from GitHub is attached.
Red Hat's analysis is here: https:/
NIST is here: https:/
- no data yet.
Severity
--------
<Minor: System/Feature is usable with minor issue>
CVE References
tags: | added: stx.security |
Changed in starlingx: | |
assignee: | nobody → Ken Young (kenyis) |
summary: |
- CVE-2018-18074: requests package may reveal credentials + CVE-2018-18074: python-requests package may reveal credentials |
Changed in starlingx: | |
assignee: | Ken Young (kenyis) → Ghada Khalil (gkhalil) |
information type: | Private Security → Public Security |
tags: | added: stx.8.0 |
Changed in starlingx: | |
status: | Triaged → Fix Released |
To post a comment you must log in.
Red Hat's analysis of this issue shows that it is criticality is low:
CVSS3 Base Score 2.6 0/AV:A/ AC:H/PR: N/UI:R/ S:U/C:L/ I:N/A:N
CVSS3 Base Metrics CVSS:3.