Skip to main content

Urllib3 CVE-2018-20060

CRITICAL
2018-12-11 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 11, 2018 - 17:29 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 241 pypi packages depend on urllib3 (84 direct, 159 indirect)

Ecosystem-wide dependent count for version 1.23.

DescriptionNVD

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

AnalysisAI

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. Affected products include: Python Urllib3, Fedoraproject Fedora. Version information: version 1.23.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-37891 MEDIUM POC
6.5 Jun 17

urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2019-11236 MEDIUM POC
6.1 Apr 15

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parame

CVE-2025-50181 MEDIUM POC
5.3 Jun 19

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all r

CVE-2026-21441 HIGH
8.9 Jan 07

Uncontrolled resource consumption in the Python urllib3 HTTP client library (versions 1.22 through 2.6.2) lets a malicio

CVE-2023-43804 HIGH
8.1 Oct 04

urllib3 is a user-friendly HTTP client library for Python. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2025-66418 HIGH
7.5 Dec 05

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of li

CVE-2025-66471 HIGH
7.5 Dec 05

A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor

CVE-2021-33503 HIGH
7.5 Jun 29

An issue was discovered in urllib3 before 1.26.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2020-7212 HIGH
7.5 Mar 06

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denia

CVE-2019-11324 HIGH
7.5 Apr 18

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is differ

CVE-2021-28363 MEDIUM
6.5 Mar 15

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HT

CVE-2020-26137 MEDIUM
6.5 Sep 30

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserti

Share

CVE-2018-20060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy