CVE-2018-18074

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

References

https://github.com/requests/requests/pull/4718

https://github.com/requests/requests/issues/4716

https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff

https://bugs.debian.org/910766

https://usn.ubuntu.com/3790-1/

http://docs.python-requests.org/en/master/community/updates/#release-and-version-history

https://usn.ubuntu.com/3790-2/

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html

https://access.redhat.com/errata/RHSA-2019:2035

Details

Source: MITRE

Published: 2018-10-09

Updated: 2021-04-14

Type: CWE-522

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (44 total)

IDNameProductFamilySeverity
145934CentOS 8 : python-pip (CESA-2020:1916)NessusCentOS Local Security Checks
high
145889CentOS 8 : python27:2.7 (CESA-2020:1605)NessusCentOS Local Security Checks
high
143977NewStart CGSL CORE 5.05 / MAIN 5.05 : python-virtualenv Multiple Vulnerabilities (NS-SA-2020-0118)NessusNewStart CGSL Local Security Checks
critical
143975NewStart CGSL CORE 5.05 / MAIN 5.05 : python-pip Multiple Vulnerabilities (NS-SA-2020-0112)NessusNewStart CGSL Local Security Checks
high
141726EulerOS Virtualization 3.0.2.2 : python-requests (EulerOS-SA-2020-2201)NessusHuawei Local Security Checks
high
140276NewStart CGSL CORE 5.04 / MAIN 5.04 : python-virtualenv Multiple Vulnerabilities (NS-SA-2020-0044)NessusNewStart CGSL Local Security Checks
critical
138769NewStart CGSL MAIN 6.01 : python-pip Multiple Vulnerabilities (NS-SA-2020-0035)NessusNewStart CGSL Local Security Checks
high
137972EulerOS Virtualization 3.0.6.0 : python-requests (EulerOS-SA-2020-1753)NessusHuawei Local Security Checks
high
137475EulerOS 2.0 SP2 : python-requests (EulerOS-SA-2020-1633)NessusHuawei Local Security Checks
high
137039Scientific Linux Security Update : python-virtualenv on SL7.x (noarch) (20200512)NessusScientific Linux Local Security Checks
critical
137038Scientific Linux Security Update : python-pip on SL7.x (noarch) (20200512)NessusScientific Linux Local Security Checks
high
136519RHEL 7 : python-pip (RHSA-2020:2068)NessusRed Hat Local Security Checks
high
136517RHEL 7 : python-virtualenv (RHSA-2020:2081)NessusRed Hat Local Security Checks
critical
136112RHEL 8 : python-pip (RHSA-2020:1916)NessusRed Hat Local Security Checks
high
136044RHEL 8 : python27:2.7 (RHSA-2020:1605)NessusRed Hat Local Security Checks
high
135931Amazon Linux 2 : python-virtualenv (ALAS-2020-1413)NessusAmazon Linux Local Security Checks
critical
135558EulerOS 2.0 SP3 : python-requests (EulerOS-SA-2020-1429)NessusHuawei Local Security Checks
critical
134904CentOS 7 : python-virtualenv (CESA-2020:0851)NessusCentOS Local Security Checks
critical
134903CentOS 7 : python-pip (CESA-2020:0850)NessusCentOS Local Security Checks
high
134826RHEL 7 : python-pip (RHSA-2020:0850)NessusRed Hat Local Security Checks
high
134689Oracle Linux 7 : python-virtualenv (ELSA-2020-0851)NessusOracle Linux Local Security Checks
critical
134688Oracle Linux 7 : python-pip (ELSA-2020-0850)NessusOracle Linux Local Security Checks
high
134676RHEL 7 : python-virtualenv (RHSA-2020:0851)NessusRed Hat Local Security Checks
critical
134650Scientific Linux Security Update : python-virtualenv on SL7.x (noarch) (20200317)NessusScientific Linux Local Security Checks
critical
134649Scientific Linux Security Update : python-pip on SL7.x (noarch) (20200317)NessusScientific Linux Local Security Checks
high
134285SUSE SLES12 Security Update : python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (SUSE-SU-2020:0555-1)NessusSuSE Local Security Checks
high
132797EulerOS Virtualization for ARM 64 3.0.5.0 : python-requests (EulerOS-SA-2020-1043)NessusHuawei Local Security Checks
high
132620EulerOS 2.0 SP8 : python-requests (EulerOS-SA-2020-1027)NessusHuawei Local Security Checks
high
132462NewStart CGSL CORE 5.05 / MAIN 5.05 : python-requests Vulnerability (NS-SA-2019-0230)NessusNewStart CGSL Local Security Checks
high
130230Amazon Linux 2 : python-requests (ALAS-2019-1334)NessusAmazon Linux Local Security Checks
high
129889NewStart CGSL CORE 5.04 / MAIN 5.04 : python-requests Vulnerability (NS-SA-2019-0189)NessusNewStart CGSL Local Security Checks
high
128950EulerOS Virtualization for ARM 64 3.0.2.0 : python-requests (EulerOS-SA-2019-1947)NessusHuawei Local Security Checks
high
128809EulerOS 2.0 SP5 : python-requests (EulerOS-SA-2019-1886)NessusHuawei Local Security Checks
high
128335CentOS 7 : python-requests (CESA-2019:2035)NessusCentOS Local Security Checks
high
128255Scientific Linux Security Update : python-requests on SL7.x x86_64 (20190806)NessusScientific Linux Local Security Checks
high
127653RHEL 7 : python-requests (RHSA-2019:2035)NessusRed Hat Local Security Checks
high
126895openSUSE Security Update : python-requests (openSUSE-2019-1754)NessusSuSE Local Security Checks
high
126379Photon OS 3.0: Python PHSA-2019-3.0-0009NessusPhotonOS Local Security Checks
critical
121324FreeBSD : www/py-requests -- Information disclosure vulnerability (50ad9a9a-1e28-11e9-98d7-0050562a4d7b)NessusFreeBSD Local Security Checks
high
120622Fedora 28 : python-requests (2018-9324e844d9)NessusFedora Local Security Checks
critical
120425Fedora 29 : python-requests (2018-52262a02be)NessusFedora Local Security Checks
critical
118940Fedora 27 : python-requests (2018-41320b315a)NessusFedora Local Security Checks
critical
118323Ubuntu 18.10 : Requests vulnerability (USN-3790-2)NessusUbuntu Local Security Checks
high
118142Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Requests vulnerability (USN-3790-1)NessusUbuntu Local Security Checks
high