Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 241 pypi packages depend on urllib3 (84 direct, 159 indirect)
Ecosystem-wide dependent count for version 1.23.
DescriptionNVD
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
AnalysisAI
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. Affected products include: Python Urllib3, Fedoraproject Fedora. Version information: version 1.23.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remot
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parame
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all r
Uncontrolled resource consumption in the Python urllib3 HTTP client library (versions 1.22 through 2.6.2) lets a malicio
urllib3 is a user-friendly HTTP client library for Python. Rated high severity (CVSS 8.1), this vulnerability is remotel
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of li
A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor
An issue was discovered in urllib3 before 1.26.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denia
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is differ
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HT
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserti
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today