python-urllib3 before version 1.23 does not remove the 'Authorization' HTTP header when following a cross-origin redirect. This can allow for credentials in the 'Authorization' header to be exposed as they are transmitted in plaintext.
Created python-urllib3 tracking bugs for this issue:
Affects: epel-all [bug 1649156]
Affects: fedora-27 [bug 1649154]
Affects: fedora-28 [bug 1649155]
Affects: openstack-rdo [bug 1649157]
Upstream patch commits:
Got from GitHub pull request:
An attacker who can intercept traffic between the victim host and the server, may be able to read the Authorization header content when a server redirects to an HTTP endpoint on the same server. It is required that a server has such redirects and that the user visits it for the attack to take place.
Patched python-urllib3 versions remove the Authorization header by default on redirects.
Use `retries=urllib3.Retry(redirect=0)` when performing requests if you do not need redirection and handle the redirects manually if you need them.
Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.
In reply to comment #17:
> (In reply to Riccardo Schirone from comment #3)
> > Private reproducer available here (after Kerberos login):
> > https://svn.devel.redhat.com/repos/srtvulns/trunk/components/python-urllib3/
> > CVE-2018-20060
> I've managed to backport upstream patches to rhel7.7 and now I'd like to
> test it but the link mentioned in comment #3 doesn't work so I cannot use
> the reproducer.
> Richard, could you please take a look?
Sent a copy to you by email.
In reply to comment #4:
> An attacker who can intercept traffic between the victim host and the
> server, may be able to read the Authorization header content when a server
> redirects to an HTTP endpoint on the same server. It is required that a
> server has such redirects and that the user visits it for the attack to take
Actually this flaw can be triggered even when the redirect is cross-origin, thus the redirection can go on another server as well.
User Interaction set to Required (UI:R) because the user needs to visit the HTTPS server to trigger the vulnerability.
Attack Vector set to Network(AV:N) because an attacker needs to perform a man-in-the-middle attack to get access to the transferred data.
Attack Complexity set to High(AC:H) because the attack depends on the specific application that needs to be on HTTPS, to have a redirect to an HTTP server and to use HTTP authorization. Moreover, the attacker needs a man-in-the-middle attack.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):