2361962 – (CVE-2025-46421) CVE-2025-46421 libsoup: Information disclosure may leads libsoup client sends Authorization header to a different host when being redirected by a server

Bug 2361962 (CVE-2025-46421) - CVE-2025-46421 libsoup: Information disclosure may leads libsoup client sends Authorization header to a different host when being redirected by a server

Summary: CVE-2025-46421 libsoup: Information disclosure may leads libsoup client sends...

Keywords:
Status:	NEW
Alias:	CVE-2025-46421
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2361966 2361969 2361968
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-24 01:38 UTC by OSIDB Bzimport
Modified:	2025-04-24 12:52 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-24 01:38:31 UTC

When encountering an HTTP redirect, libsoup  clients prior to version 3.6.5 send the HTTP Authorization header to  the host that is the target of the redirection, allowing this host to  impersonate the user to the host that performed the redirect.

Note You need to log in before you can comment on or make changes to this bug.