VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-mzxq-w8z6-aaah

Essentials
Severities (105)
References (16)
Severity details (15)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-mzxq-w8z6-aaah
Aliases	CVE-2018-25091 GHSA-gwvm-45gx-3cf8 PYSEC-0000-CVE-2018-25091 PYSEC-2023-207
Summary	urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25091.json
epss	0.00101	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00155	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
epss	0.00558	https://api.first.org/data/v1/epss?cve=CVE-2018-25091
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-gwvm-45gx-3cf8
cvssv3.1	6.1	https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml
generic_textual	MODERATE	https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml
cvssv3.1	4.4	https://github.com/urllib3/urllib3
generic_textual	MODERATE	https://github.com/urllib3/urllib3
cvssv3.1	6.1	https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
generic_textual	MODERATE	https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
cvssv3.1	6.1	https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2
generic_textual	MODERATE	https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2
cvssv3.1	6.1	https://github.com/urllib3/urllib3/issues/1510
generic_textual	MODERATE	https://github.com/urllib3/urllib3/issues/1510
cvssv3	6.1	https://nvd.nist.gov/vuln/detail/CVE-2018-25091
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2018-25091

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25091.json
		https://api.first.org/data/v1/epss?cve=CVE-2018-25091
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25091
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml
		https://github.com/urllib3/urllib3
		https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
		https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2
		https://github.com/urllib3/urllib3/issues/1510
2244340		https://bugzilla.redhat.com/show_bug.cgi?id=2244340
cpe:2.3:a:python:urllib3::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:urllib3::::::::
CVE-2018-25091		https://nvd.nist.gov/vuln/detail/CVE-2018-25091
GHSA-gwvm-45gx-3cf8		https://github.com/advisories/GHSA-gwvm-45gx-3cf8
RHSA-2024:2988		https://access.redhat.com/errata/RHSA-2024:2988
USN-6473-1		https://usn.ubuntu.com/6473-1/
USN-6473-2		https://usn.ubuntu.com/6473-2/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25091.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/urllib3/urllib3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/urllib3/urllib3/issues/1510

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-25091

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-25091

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.42596
EPSS Score	0.00101
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.