Information Exposure

Affecting requests package, versions [,2.20)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Requests is a Non-GMO HTTP library for Python

Affected versions of this package are vulnerable to Information Exposure. Upon receiving a same-hostname https-to-http redirect, it sends the HTTP Authorization header to an http URI. This makes it easier for remote attackers to discover credentials by sniffing the network.

Remediation

Upgrade request to version 2.20 or higher.

References

CVSS Score

9.8
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
Credit
Unknown
CVE
CVE-2018-18074
CWE
CWE-200
Snyk ID
SNYK-PYTHON-REQUESTS-72435
Disclosed
09 Oct, 2018
Published
10 Oct, 2018