python-urllib3 before version 1.23 does not remove the 'Authorization' HTTP header when following a cross-origin redirect. This can allow for credentials in the 'Authorization' header to be exposed as they are transmitted in plaintext. Upstream Issues: https://github.com/urllib3/urllib3/issues/1316 https://github.com/urllib3/urllib3/pull/1346
Created python-urllib3 tracking bugs for this issue: Affects: epel-all [bug 1649156] Affects: fedora-27 [bug 1649154] Affects: fedora-28 [bug 1649155] Affects: openstack-rdo [bug 1649157]
Upstream patch commits: https://github.com/urllib3/urllib3/commit/3d7f98b07b6e6e04c2e89cdf5afb18024a2d804c https://github.com/urllib3/urllib3/commit/f99912beeaf230ee3634b938d3ea426ffd1f3e57 https://github.com/urllib3/urllib3/commit/48dba048081dfcb999afcda715d17147aa15b6ea https://github.com/urllib3/urllib3/commit/23e2eb56af23db5a1eeb8ad9b51dd99a27c15522 https://github.com/urllib3/urllib3/commit/5e9c6b9175d66170ef65fc703f2e46788a59ca0c https://github.com/urllib3/urllib3/commit/9c9dd6f3014e89bb9c532b641abcf1b24c3896ab https://github.com/urllib3/urllib3/commit/6245ddddb7f80740c5c15e1750e5b9f68c5b2b5f https://github.com/urllib3/urllib3/commit/3b5f27449e153ad05186beca8fbd9b134936fe50 https://github.com/urllib3/urllib3/commit/1742538d57865e61125c6c12a755b5db41636fe7 https://github.com/urllib3/urllib3/commit/2a42e70ff077006d5a6da92251ddbb2939303f94 https://github.com/urllib3/urllib3/commit/e8a727a0b8389f5f75981858a8bbb319646f4450 https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532 Got from GitHub pull request: https://github.com/urllib3/urllib3/pull/1346
An attacker who can intercept traffic between the victim host and the server, may be able to read the Authorization header content when a server redirects to an HTTP endpoint on the same server. It is required that a server has such redirects and that the user visits it for the attack to take place. Patched python-urllib3 versions remove the Authorization header by default on redirects.
Mitigation: Use `retries=urllib3.Retry(redirect=0)` when performing requests if you do not need redirection and handle the redirects manually if you need them.
In reply to comment #17: > (In reply to Riccardo Schirone from comment #3) > > Private reproducer available here (after Kerberos login): > > > > https://svn.devel.redhat.com/repos/srtvulns/trunk/components/python-urllib3/ > > CVE-2018-20060 > > I've managed to backport upstream patches to rhel7.7 and now I'd like to > test it but the link mentioned in comment #3 doesn't work so I cannot use > the reproducer. > > Richard, could you please take a look? Sent a copy to you by email.
In reply to comment #4: > An attacker who can intercept traffic between the victim host and the > server, may be able to read the Authorization header content when a server > redirects to an HTTP endpoint on the same server. It is required that a > server has such redirects and that the user visits it for the attack to take > place. Actually this flaw can be triggered even when the redirect is cross-origin, thus the redirection can go on another server as well. User Interaction set to Required (UI:R) because the user needs to visit the HTTPS server to trigger the vulnerability. Attack Vector set to Network(AV:N) because an attacker needs to perform a man-in-the-middle attack to get access to the transferred data. Attack Complexity set to High(AC:H) because the attack depends on the specific application that needs to be on HTTPS, to have a redirect to an HTTP server and to use HTTP authorization. Moreover, the attacker needs a man-in-the-middle attack.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20060
Created python-pip tracking bugs for this issue: Affects: epel-6 [bug 1774426] Affects: fedora-29 [bug 1774425] Created python-pip-epel tracking bugs for this issue: Affects: epel-7 [bug 1774427]
Created python-virtualenv tracking bugs for this issue: Affects: epel-6 [bug 1778104] Affects: fedora-30 [bug 1778102] Created python3-virtualenv tracking bugs for this issue: Affects: epel-7 [bug 1778105]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0851 https://access.redhat.com/errata/RHSA-2020:0851
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1916 https://access.redhat.com/errata/RHSA-2020:1916
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2068 https://access.redhat.com/errata/RHSA-2020:2068
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2081 https://access.redhat.com/errata/RHSA-2020:2081
Statement: Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.