CVE-2018-18074

CVE Details

Release Date:

2018-10-09

Description

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

See more information about CVE-2018-18074 from MITRE CVE dictionary and NIST NVD

CVSS v3.0 metrics

NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score:	7.5	Base Metrics:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Vector:	Network	Attack Complexity:	Low
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	High
Integrity Impact:	None	Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (python-pip)	ELSA-2020-0850	2020-03-18
Oracle Linux version 7 (python-pip)	ELSA-2020-2068	2020-05-19
Oracle Linux version 7 (python-requests)	ELSA-2019-2035	2019-08-13
Oracle Linux version 7 (python-virtualenv)	ELSA-2020-0851	2020-03-18
Oracle Linux version 7 (python-virtualenv)	ELSA-2020-2081	2020-05-19
Oracle Linux version 8 (Cython)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (PyYAML)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (babel)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (numpy)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (pytest)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-PyMySQL)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-attrs)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-backports)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-backports-ssl_match_hostname)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-chardet)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-coverage)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-dns)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-docs)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-docutils)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-funcsigs)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-idna)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-ipaddress)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-jinja2)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-lxml)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-markupsafe)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-mock)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-nose)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-pip)	ELSA-2020-1916	2020-05-05
Oracle Linux version 8 (python-pluggy)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-psycopg2)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-py)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-pygments)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-pymongo)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-pysocks)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-pytest-mock)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-requests)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-setuptools_scm)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-six)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-sqlalchemy)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-urllib3)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-virtualenv)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python-wheel)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python2)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python2-pip)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python2-rpm-macros)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (python2-setuptools)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (pytz)	ELSA-2020-1605	2020-05-05
Oracle Linux version 8 (scipy)	ELSA-2020-1605	2020-05-05

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team