Bug 1649153 (CVE-2018-20060) - CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure
Summary: CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorizat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180326,repor...
Depends On: 1649156 1649157 1666508 1666509 1666511 1678987 1678988 1717363 1717364 1717365 1649154 1649155 1658470 1658471 1658982 1666506 1666507 1717360 1717362
Blocks: 1649158
TreeView+ depends on / blocked
 
Reported: 2018-11-13 03:15 UTC by Sam Fowler
Modified: 2019-08-06 19:20 UTC (History)
53 users (show)

Fixed In Version: python-urllib3 1.23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2272 None None None 2019-08-06 12:34:16 UTC

Description Sam Fowler 2018-11-13 03:15:47 UTC
python-urllib3 before version 1.23 does not remove the 'Authorization' HTTP header when following a cross-origin redirect. This can allow for credentials in the 'Authorization' header to be exposed as they are transmitted in plaintext.


Upstream Issues:

https://github.com/urllib3/urllib3/issues/1316
https://github.com/urllib3/urllib3/pull/1346

Comment 1 Sam Fowler 2018-11-13 03:16:22 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1649156]
Affects: fedora-27 [bug 1649154]
Affects: fedora-28 [bug 1649155]
Affects: openstack-rdo [bug 1649157]

Comment 4 Riccardo Schirone 2018-12-12 08:42:41 UTC
An attacker who can intercept traffic between the victim host and the server, may be able to read the Authorization header content when a server redirects to an HTTP endpoint on the same server. It is required that a server has such redirects and that the user visits it for the attack to take place.

Patched python-urllib3 versions remove the Authorization header by default on redirects.

Comment 8 Riccardo Schirone 2018-12-12 08:55:36 UTC
Mitigation:

Use `retries=urllib3.Retry(redirect=0)` when performing requests if you do not need redirection and handle the redirects manually if you need them.

Comment 14 Richard Maciel Costa 2019-02-20 04:16:24 UTC
Statement:

Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.

Comment 18 Richard Maciel Costa 2019-03-12 04:12:29 UTC
In reply to comment #17:
> (In reply to Riccardo Schirone from comment #3)
> > Private reproducer available here (after Kerberos login):
> > 
> > https://svn.devel.redhat.com/repos/srtvulns/trunk/components/python-urllib3/
> > CVE-2018-20060
> 
> I've managed to backport upstream patches to rhel7.7 and now I'd like to
> test it but the link mentioned in comment #3 doesn't work so I cannot use
> the reproducer.
> 
> Richard, could you please take a look?

Sent a copy to you by email.

Comment 24 Riccardo Schirone 2019-07-23 08:09:01 UTC
In reply to comment #4:
> An attacker who can intercept traffic between the victim host and the
> server, may be able to read the Authorization header content when a server
> redirects to an HTTP endpoint on the same server. It is required that a
> server has such redirects and that the user visits it for the attack to take
> place.

Actually this flaw can be triggered even when the redirect is cross-origin, thus the redirection can go on another server as well.

User Interaction set to Required (UI:R) because the user needs to visit the HTTPS server to trigger the vulnerability.
Attack Vector set to Network(AV:N) because an attacker needs to perform a man-in-the-middle attack to get access to the transferred data.
Attack Complexity set to High(AC:H) because the attack depends on the specific application that needs to be on HTTPS, to have a redirect to an HTTP server and to use HTTP authorization. Moreover, the attacker needs a man-in-the-middle attack.

Comment 25 errata-xmlrpc 2019-08-06 12:34:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272

Comment 26 Product Security DevOps Team 2019-08-06 19:20:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20060


Note You need to log in before you can comment on or make changes to this bug.