7.5
CVSSv3

CVE-2018-18074

Published: 09/10/2018 Updated: 21/11/2024

Vulnerability Summary

The Requests package prior to 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote malicious users to discover credentials by sniffing the network.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

python requests

canonical ubuntu linux 14.04

canonical ubuntu linux 16.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

opensuse leap 15.1

redhat enterprise linux desktop 7.0

redhat enterprise linux server 7.0

redhat enterprise linux workstation 7.0

Vendor Advisories

Requests could be made to expose sensitive information if it received a specially crafted HTTP header ...
Requests could be made to expose sensitive information if it received a specially crafted HTTP header ...
Debian Bug report logs - #910766 requests: CVE-2018-18074 Package: src:requests; Maintainer for src:requests is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 10 Oct 2018 20:54:01 UTC Severity: important Tags: fixed-upstream, ...
Synopsis Moderate: python-virtualenv security update Type/Severity Security Advisory: Moderate Topic An update for python-virtualenv is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ( ...
Synopsis Moderate: python-virtualenv security update Type/Severity Security Advisory: Moderate Topic An update for python-virtualenv is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ( ...
Synopsis Moderate: OpenShift Container Platform 461 image security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat OpenShift Container Platform 46Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability S ...
Synopsis Important: Container-native Virtualization security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Virtualization release 240 is now available with updates to packages and images that fix several bugs and add enhancementsRed Hat Product Securi ...
Synopsis Moderate: python-pip security update Type/Severity Security Advisory: Moderate Topic An update for python-pip is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base sco ...
Synopsis Moderate: python-pip security update Type/Severity Security Advisory: Moderate Topic An update for python-pip is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base sco ...
Synopsis Low: python-requests security update Type/Severity Security Advisory: Low Topic An update for python-requests is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Low A Common Vulnerability Scoring System (CVSS) base score, w ...
Synopsis Moderate: python27:27 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the python27:27 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vul ...
A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected (302) from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text A man-in-the-middle attacker could exploit this flaw to obtain a user's valid creden ...
urllib3 before version 123 does not remove the Authorization HTTP header when following a cross-origin redirect (ie, a redirect that differs in host, port, or scheme) This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext (CVE-2018-20060) In the urllib3 library through 1241 fo ...

Github Repositories

Simple tool for deploying basic lambda functions

Simple AWS Lambda Maker This is a super simple tool for creating/modifying multiple lambda functions It was built for the purpose of deploying our Alexa skills across multiple regions in the same account Installation Just use pip: $ pip install simple-aws-lambda-maker Then create a salmyml with something like: --- function_defaults: filepath: "{config_root}/lambda_

Encrypted Credential Management (Python implementation of Credulous)

Credo The python implementation of Credulous (githubcom/realestate-com-au/credulous) Essentially, it's a credential management program written with amazon credentials in mind It uses your ssh key pairs to keep your credentials encrypted on disk until you need to use them Installation Use pip!: pip install credo_manager Usage Import some keys: credo import Ex

import speech_recognition as sr import pyttsx3 as ttx import pywhatkit import datetime import webbrowser import pyttsx3 from googleapiclientdiscovery import build import googleapiclienterrors import requests from bs4 import BeautifulSoup import os from selenium import webdriver import pyautogui import time #Importer les bibliothéques pour localiser télephone imp

Indian Premier League Predictions - 2018 The Indian Premier League, officially Vivo Indian Premier League (for sponsorship reasons), is a professional Twenty20 cricket league in India contested during April and May of every year by teams representing Indian cities and some states This project is an attempt to predict the winner of T20 cricket matches The objective is to

Application that can use chatGPT and Codex in streamlit to run and we must reflect this evening on the title of the application, it will be an application whose role will be to create code or to ask it through the text to create a video game

Game-4X-maker Application that can use chatGPT and Codex in streamlit to run and we must reflect this evening on the title of the application, it will be an application whose role will be to create code or to ask it through the text to create a video game [metadata] name = openai version = attr: openaiversionVERSION description = P

Game-4X-maker Application that can use chatGPT and Codex in streamlit to run and we must reflect this evening on the title of the application, it will be an application whose role will be to create code or to ask it through the text to create a video game [metadata] name = openai version = attr: openaiversionVERSION description = P

challenges for an interview

Challenge 1: Python Docker Test The goal of this challenge is to assess how you resolve vulnerabilities within a docker image The dockerfile builds into a docker image that contains the following vulnerabilities CVE-2018-18074 CVE-2019-8457 CVE-2018-12699 The organization allows applications with high severity vulnerabilities to be released, but nothing more severe than hig

appseccft CTF Anwers Challenge 1: Answers and Notes: 1 There are several things that can be addressed with this application CVE-2018-18074 can be addressed by modifying the requirements file to install requests=2220 rather than the vulnerable version Also there are a lot of package imports in the script itself that aren't being used, and should be removed until they

  Packj flags malicious/risky open-source packages Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks This is the tool behind our large-scale security analysis platform Packjdev that continuously vets packages and provides free reports Co

How to create enviroment with conda To create an environment: conda create --name myenv Create the environment from the environmentyml file: conda env create -f environmentyml To create an enviroment for the udacity class room: conda create -n udacity-fundamentos-ia numpy jupyter notebook pandas matplotlib seaborn python=3 Activate & Deactivate enviroment sour

Low-effort reachability analysis for third-party code vulnerabilities.

narrow This project investigates ways to automatically determine (in some cases) whether a known vulnerability in some dependency affects a targeted first-party codebase It does this by combining two things: 1) Patch Extraction and 2) Static Program Analysis Specifically, this repo implements a python-based command-line tool that can be used to do one of the following: Deter

A secure Python-based code scanner for open-source repositories.

🚨 Secure Code Scanner 🚨 A production-grade, Python-based security scanner for analyzing open-source repositories, designed to detect malicious or insecure code Use this tool to confidently integrate third-party code into your projects ✨ Features πŸ” Automated Repository Scanning: Clone and scan GitHub repositories automatically 🚫 Malicious Code Detection: Detect