7.5

CVE-2018-18074

Exploit
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonRequests Version < 2.20.0
CanonicalUbuntu Linux Version14.04 SwEditionesm
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version18.10
OpensuseLeap Version15.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 7.44% 0.937
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://www.oracle.com/security-alerts/cpujul2022.html
http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
Third Party Advisory
Release Notes
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
Third Party Advisory
Mailing List
https://access.redhat.com/errata/RHSA-2019:2035
Third Party Advisory
https://bugs.debian.org/910766
Patch
Third Party Advisory
Exploit
Issue Tracking
https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
Patch
Third Party Advisory
https://github.com/requests/requests/issues/4716
Patch
Third Party Advisory
Exploit
https://github.com/requests/requests/pull/4718
Patch
Third Party Advisory
https://usn.ubuntu.com/3790-1/
Third Party Advisory
https://usn.ubuntu.com/3790-2/
Third Party Advisory