GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. If wget sends an Authorization header to a Web server, and that server replies with a REDIRECT, that header will not be stripped, and thus be forwarded to the second web server. This creates a password leak, as the 2nd server receives the password. Reference: https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
Created wget tracking bugs for this issue: Affects: fedora-all [bug 1955317]
This was previously reported upstream already in 2019 via : https://savannah.gnu.org/bugs/?56909