CVE-2018-20060: Infoleak
First published: Mon Mar 26 2018(Updated: )
Last updated 24 July 2024
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-urllib3 | <0:1.10.2-7.el7 | 0:1.10.2-7.el7 |
| redhat/python-pip | <0:9.0.3-7.el7_7 | 0:9.0.3-7.el7_7 |
| redhat/python-virtualenv | <0:15.1.0-4.el7_7 | 0:15.1.0-4.el7_7 |
| redhat/python-pip | <0:9.0.3-7.el7_8 | 0:9.0.3-7.el7_8 |
| redhat/python-virtualenv | <0:15.1.0-4.el7_8 | 0:15.1.0-4.el7_8 |
| redhat/python-pip | <0:9.0.3-16.el8 | 0:9.0.3-16.el8 |
| Python urllib3 | <1.23 | |
| Fedoraproject Fedora | =28 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| redhat/python-urllib3 | <1.23 | 1.23 |
| pip/urllib3 | <1.23 | 1.23 |
| debian/python-urllib3 | 1.26.5-1~exp1 1.26.12-1 2.2.3-4 |
Remedy
Use `retries=urllib3.Retry(redirect=0)` when performing requests if you do not need redirection and handle the redirects manually if you need them.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2018-20060
- https://github.com/urllib3/urllib3/issues/1316
- https://github.com/urllib3/urllib3/pull/1346
- https://access.redhat.com/errata/RHSA-2019:2272
- https://bugzilla.redhat.com/show_bug.cgi?id=1649153
- https://github.com/advisories/GHSA-www2-v7xj-xrc6 (Advisory)
- https://github.com/urllib3/urllib3/blob/master/CHANGES.rst
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
- https://usn.ubuntu.com/3990-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532
- https://www.cve.org/CVERecord?id=CVE-2018-20060 https://nvd.nist.gov/vuln/detail/CVE-2018-20060
- https://access.redhat.com/errata/RHBA-2020:1539
- https://access.redhat.com/errata/RHBA-2020:1540
- https://access.redhat.com/errata/RHSA-2020:0850
- https://access.redhat.com/errata/RHSA-2020:0851
- https://access.redhat.com/errata/RHSA-2020:2068
- https://access.redhat.com/errata/RHSA-2020:2081
- https://access.redhat.com/errata/RHSA-2020:1605
- https://access.redhat.com/errata/RHSA-2020:1916
- https://access.redhat.com/security/cve/cve-2018-20060
- https://launchpad.net/bugs/cve/CVE-2018-20060
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649156
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649154
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649155
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649157
- https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c
- https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57
- https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea
- https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522
- https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c
- https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab
- https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f
- https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50
- https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7
- https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94
- https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450
- https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649153#c17
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649153#c3
- https://svn.devel.redhat.com/repos/srtvulns/trunk/components/python-urllib3/
- https://access.redhat.com/security/cve/CVE-2018-20060
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1649153#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774426
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774425
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774427
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778104
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778102
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778105
- https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
- https://security-tracker.debian.org/tracker/CVE-2018-20060
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060
- https://ubuntu.com/security/CVE-2018-20060
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2018-32.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5SJERZEJDSUYQP7BNBXMBHRHGY26HRZD
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXLAXHM3Z6DUCXZ7ZXZ2EAYJXWDCZFCT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWP36YW3KSVLXDBY3QJKDYEPCIMN3VQZ
- https://usn.ubuntu.com/3990-1
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2018-20060?
CVE-2018-20060 is a vulnerability in urllib3 before version 1.23 that allows for credentials in the Authorization HTTP header to be exposed to unintended hosts or transmitted in cleartext.
What is the severity of CVE-2018-20060?
The severity of CVE-2018-20060 is critical with a severity value of 9.8.
How does CVE-2018-20060 affect urllib3?
CVE-2018-20060 affects urllib3 before version 1.23.
How can I fix CVE-2018-20060?
To fix CVE-2018-20060, upgrade urllib3 to version 1.23 or higher.
Where can I find more information about CVE-2018-20060?
You can find more information about CVE-2018-20060 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-20060), [GitHub Issue](https://github.com/urllib3/urllib3/issues/1316), [GitHub Pull Request](https://github.com/urllib3/urllib3/pull/1346).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-20060
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/event
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-www2-v7xj-xrc6
- agent/references
- collector/github-advisory
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/python
- canonical/python urllib3
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/28
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- package-manager/pip
- package-manager/debian