Bug 1649153 (CVE-2018-20060) - CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure
Summary: CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorizat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1666509 1774426 1778104 1778105 1649154 1649155 1649156 1649157 1658470 1658471 1658982 1666506 1666507 1666508 1666511 1678987 1678988 1717360 1717362 1717363 1717364 1717365 1774425 1774427 1774430 1774431 1774432 1774433 1774434 1778102 1778110 1778111 1778112 1804581 1804582 1804583 1804584
Blocks: 1649158
TreeView+ depends on / blocked
 
Reported: 2018-11-13 03:15 UTC by Sam Fowler
Modified: 2020-05-12 18:38 UTC (History)
72 users (show)

Fixed In Version: python-urllib3 1.23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2272 None None None 2019-08-06 12:34:16 UTC
Red Hat Product Errata RHSA-2020:0850 None None None 2020-03-17 16:18:22 UTC
Red Hat Product Errata RHSA-2020:0851 None None None 2020-03-17 16:18:45 UTC
Red Hat Product Errata RHSA-2020:1605 None None None 2020-04-28 15:29:19 UTC
Red Hat Product Errata RHSA-2020:1916 None None None 2020-04-28 16:08:43 UTC
Red Hat Product Errata RHSA-2020:2068 None None None 2020-05-12 18:37:51 UTC
Red Hat Product Errata RHSA-2020:2081 None None None 2020-05-12 18:38:03 UTC

Description Sam Fowler 2018-11-13 03:15:47 UTC
python-urllib3 before version 1.23 does not remove the 'Authorization' HTTP header when following a cross-origin redirect. This can allow for credentials in the 'Authorization' header to be exposed as they are transmitted in plaintext.


Upstream Issues:

https://github.com/urllib3/urllib3/issues/1316
https://github.com/urllib3/urllib3/pull/1346

Comment 1 Sam Fowler 2018-11-13 03:16:22 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1649156]
Affects: fedora-27 [bug 1649154]
Affects: fedora-28 [bug 1649155]
Affects: openstack-rdo [bug 1649157]

Comment 4 Riccardo Schirone 2018-12-12 08:42:41 UTC
An attacker who can intercept traffic between the victim host and the server, may be able to read the Authorization header content when a server redirects to an HTTP endpoint on the same server. It is required that a server has such redirects and that the user visits it for the attack to take place.

Patched python-urllib3 versions remove the Authorization header by default on redirects.

Comment 8 Riccardo Schirone 2018-12-12 08:55:36 UTC
Mitigation:

Use `retries=urllib3.Retry(redirect=0)` when performing requests if you do not need redirection and handle the redirects manually if you need them.

Comment 14 Richard Maciel Costa 2019-02-20 04:16:24 UTC
Statement:

Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.

Comment 18 Richard Maciel Costa 2019-03-12 04:12:29 UTC
In reply to comment #17:
> (In reply to Riccardo Schirone from comment #3)
> > Private reproducer available here (after Kerberos login):
> > 
> > https://svn.devel.redhat.com/repos/srtvulns/trunk/components/python-urllib3/
> > CVE-2018-20060
> 
> I've managed to backport upstream patches to rhel7.7 and now I'd like to
> test it but the link mentioned in comment #3 doesn't work so I cannot use
> the reproducer.
> 
> Richard, could you please take a look?

Sent a copy to you by email.

Comment 24 Riccardo Schirone 2019-07-23 08:09:01 UTC
In reply to comment #4:
> An attacker who can intercept traffic between the victim host and the
> server, may be able to read the Authorization header content when a server
> redirects to an HTTP endpoint on the same server. It is required that a
> server has such redirects and that the user visits it for the attack to take
> place.

Actually this flaw can be triggered even when the redirect is cross-origin, thus the redirection can go on another server as well.

User Interaction set to Required (UI:R) because the user needs to visit the HTTPS server to trigger the vulnerability.
Attack Vector set to Network(AV:N) because an attacker needs to perform a man-in-the-middle attack to get access to the transferred data.
Attack Complexity set to High(AC:H) because the attack depends on the specific application that needs to be on HTTPS, to have a redirect to an HTTP server and to use HTTP authorization. Moreover, the attacker needs a man-in-the-middle attack.

Comment 25 errata-xmlrpc 2019-08-06 12:34:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272

Comment 26 Product Security DevOps Team 2019-08-06 19:20:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20060

Comment 27 Tomas Hoger 2019-11-20 09:54:36 UTC
Created python-pip tracking bugs for this issue:

Affects: epel-6 [bug 1774426]
Affects: fedora-29 [bug 1774425]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-7 [bug 1774427]

Comment 29 Tomas Hoger 2019-11-29 10:24:27 UTC
Created python-virtualenv tracking bugs for this issue:

Affects: epel-6 [bug 1778104]
Affects: fedora-30 [bug 1778102]


Created python3-virtualenv tracking bugs for this issue:

Affects: epel-7 [bug 1778105]

Comment 31 errata-xmlrpc 2020-03-17 16:18:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850

Comment 32 errata-xmlrpc 2020-03-17 16:18:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0851 https://access.redhat.com/errata/RHSA-2020:0851

Comment 33 errata-xmlrpc 2020-04-28 15:29:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605

Comment 34 errata-xmlrpc 2020-04-28 16:08:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1916 https://access.redhat.com/errata/RHSA-2020:1916

Comment 35 errata-xmlrpc 2020-05-12 18:37:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2068 https://access.redhat.com/errata/RHSA-2020:2068

Comment 36 errata-xmlrpc 2020-05-12 18:38:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2081 https://access.redhat.com/errata/RHSA-2020:2081


Note You need to log in before you can comment on or make changes to this bug.