VulnerableCode Package Details - pkg:rpm/redhat/python-pip@9.0.3-7?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-6kxp-qa5x-q3bq Aliases: CVE-2019-11324 GHSA-mh33-7rrq-662w PYSEC-2019-133	The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.	There are no reported fixed by versions.
VCID-b3e6-k53t-bkgk Aliases: CVE-2019-11236 GHSA-r64q-w8jr-g9qp PYSEC-2019-132	In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.	There are no reported fixed by versions.
VCID-pd4x-3cee-t7g3 Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28	The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.	There are no reported fixed by versions.
VCID-swgb-7b34-h3a9 Aliases: CVE-2018-20060 GHSA-www2-v7xj-xrc6 PYSEC-2018-32	urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6kxp-qa5x-q3bq
Aliases:
CVE-2019-11324
GHSA-mh33-7rrq-662w
PYSEC-2019-133

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

There are no reported fixed by versions.

VCID-b3e6-k53t-bkgk
Aliases:
CVE-2019-11236
GHSA-r64q-w8jr-g9qp
PYSEC-2019-132

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

There are no reported fixed by versions.

VCID-pd4x-3cee-t7g3
Aliases:
CVE-2018-18074
GHSA-x84v-xcm2-53pg
PYSEC-2018-28

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

There are no reported fixed by versions.

VCID-swgb-7b34-h3a9
Aliases:
CVE-2018-20060
GHSA-www2-v7xj-xrc6
PYSEC-2018-32

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:25:40.589099+00:00	RedHat Importer	Affected by	VCID-swgb-7b34-h3a9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-20060.json	38.0.0
2026-04-01T14:23:51.044347+00:00	RedHat Importer	Affected by	VCID-pd4x-3cee-t7g3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-18074.json	38.0.0
2026-04-01T14:20:47.891547+00:00	RedHat Importer	Affected by	VCID-b3e6-k53t-bkgk	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11236.json	38.0.0
2026-04-01T14:19:59.373265+00:00	RedHat Importer	Affected by	VCID-6kxp-qa5x-q3bq	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11324.json	38.0.0