Published: 15/10/2014 Updated: 30/08/2016

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Requests (aka python-requests) prior to 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.

Vulnerable Product	Search on Vulmon	Subscribe to Product
debian debian linux 7.0
python requests
canonical ubuntu linux 14.04
mageia mageia 4.0

Debian Bug report logs - #733108 python3-requests: redirect can expose netrc password Package: python3-requests; Maintainer for python3-requests is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Source for python3-requests is src:requests (PTS, buildd, popcon) Reported by: Jakub Wilk <jwilk@debi ...

Requests could be made to expose authentication credentials over the network ...

Jakub Wilk discovered that in requests, an HTTP library for the Python language, authentication information was improperly handled when a redirect occured This would allow remote servers to obtain two different types of sensitive information: proxy passwords from the Proxy-Authorization header (CVE-2014-1830), or netrc passwords from the Authoriza ...

Requests (aka python-requests) before 230 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request ...

CWE-200 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 https://github.com/kennethreitz/requests/issues/1885 http://www.ubuntu.com/usn/USN-2382-1 http://www.debian.org/security/2015/dsa-3146 http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://advisories.mageia.org/MGASA-2014-0409.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 https://usn.ubuntu.com/2382-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-1829

CVE-2014-1829

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect