VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-pd4x-3cee-t7g3

Essentials
Severities (43)
References (28)
Severity details (29)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-pd4x-3cee-t7g3
Aliases	CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28
Summary	The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-522	Insufficiently Protected Credentials
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	7.5	http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
generic_textual	HIGH	http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
cvssv3.1	7.5	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
cvssv3.1	7.5	https://access.redhat.com/errata/RHSA-2019:2035
generic_textual	HIGH	https://access.redhat.com/errata/RHSA-2019:2035
cvssv3	2.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-18074.json
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00184	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00184	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
epss	0.00243	https://api.first.org/data/v1/epss?cve=CVE-2018-18074
cvssv3.1	7.5	https://bugs.debian.org/910766
generic_textual	HIGH	https://bugs.debian.org/910766
cvssv3	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-x84v-xcm2-53pg
cvssv3.1	7.5	https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
cvssv3.1	7.5	https://github.com/requests/requests
generic_textual	HIGH	https://github.com/requests/requests
cvssv3.1	7.5	https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
generic_textual	HIGH	https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
cvssv3.1	7.5	https://github.com/requests/requests/issues/4716
generic_textual	HIGH	https://github.com/requests/requests/issues/4716
cvssv3.1	7.5	https://github.com/requests/requests/pull/4718
generic_textual	HIGH	https://github.com/requests/requests/pull/4718
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2018-18074
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2018-18074
cvssv3.1	7.5	https://usn.ubuntu.com/3790-1
generic_textual	HIGH	https://usn.ubuntu.com/3790-1
cvssv3.1	7.5	https://usn.ubuntu.com/3790-2
generic_textual	HIGH	https://usn.ubuntu.com/3790-2
cvssv3.1	7.5	https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpujul2022.html

Reference id	Reference type	URL
		http://docs.python-requests.org/en/master/community/updates/#release-and-version-history
		http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
		https://access.redhat.com/errata/RHSA-2019:2035
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-18074.json
		https://api.first.org/data/v1/epss?cve=CVE-2018-18074
		https://bugs.debian.org/910766
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/advisories/GHSA-x84v-xcm2-53pg
		https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
		https://github.com/requests/requests
		https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
		https://github.com/requests/requests/issues/4716
		https://github.com/requests/requests/pull/4718
		https://usn.ubuntu.com/3790-1
		https://usn.ubuntu.com/3790-1/
		https://usn.ubuntu.com/3790-2
		https://usn.ubuntu.com/3790-2/
		https://www.oracle.com/security-alerts/cpujul2022.html
1643829		https://bugzilla.redhat.com/show_bug.cgi?id=1643829
910766		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910766
CVE-2018-18074		https://nvd.nist.gov/vuln/detail/CVE-2018-18074
RHSA-2020:0850		https://access.redhat.com/errata/RHSA-2020:0850
RHSA-2020:0851		https://access.redhat.com/errata/RHSA-2020:0851
RHSA-2020:1605		https://access.redhat.com/errata/RHSA-2020:1605
RHSA-2020:1916		https://access.redhat.com/errata/RHSA-2020:1916
RHSA-2020:2068		https://access.redhat.com/errata/RHSA-2020:2068
RHSA-2020:2081		https://access.redhat.com/errata/RHSA-2020:2081

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://docs.python-requests.org/en/master/community/updates/#release-and-version-history

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2019:2035

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-18074.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugs.debian.org/910766

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/requests/requests

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/requests/requests/issues/4716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/requests/requests/pull/4718

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-18074

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://usn.ubuntu.com/3790-1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://usn.ubuntu.com/3790-2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpujul2022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.38681
EPSS Score	0.00175
Published At	April 26, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:41:50.455857+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2018-28.yaml	38.0.0