#VU19388 Credentials management in Requests - CVE-2018-18074


Vulnerability identifier: #VU19388

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2018-18074

CWE-ID: CWE-255

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Requests
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to access sensitive information on a targeted system.

The vulnerability exists due to the software does not remove the HTTP Authorization header when following an HTTPS-to-HTTP redirect with the same hostname. A remote attacker who is able to perform a man-in-the-middle attack can sniff network traffic in transit between two systems on the targeted network and access sensitive information, such as user credentials.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Requests: 0.9.0 - 2.19.1

External links
https://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
https://github.com/requests/requests/issues/4716
https://github.com/requests/requests/pull/4718

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Deployment Intelligence App
Multiple vulnerabilities in IBM QRadar Assistant
SUSE update for python-requests
SUSE update for python-requests
Red Hat Enterprise Linux 7 update for python-pip
Red Hat Enterprise Linux 7 update for python-virtualenv
Red Hat Enterprise Linux 8 update for the python27:2.7 module
Red Hat Enterprise Linux 8 update for python-pip
CentOS 7 update for python-virtualenv
CentOS 7 update for python-pip