CVE-2018-18074
HIGH7.5EPSS 0.20%Insufficiently Protected Credentials in Requests
Published: 10/29/2018Modified: 4/28/2026
Description
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Affected packages (3)
- Debian/requestsfrom 0, < 2.20.0-1
- PyPI/requestsfrom 0, < 2.20.0
- PyPI/requestsfrom 0, < c45d7c49ea75133e52ab22a8e9e13173938e36ff | from 0, < 2.20.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (17)
- ADVISORYhttps://github.com/advisories/GHSA-x84v-xcm2-53pg
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-18074
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-18074
- PATCHhttps://github.com/requests/requests
- WEBhttp://docs.python-requests.org/en/master/community/updates/#release-and-version-history
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html
- WEBhttps://access.redhat.com/errata/RHSA-2019:2035
- WEBhttps://bugs.debian.org/910766
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2018-28.yaml
- WEBhttps://github.com/requests/requests/commit/c45d7c49ea75133e52ab22a8e9e13173938e36ff
- WEBhttps://github.com/requests/requests/issues/4716
- WEBhttps://github.com/requests/requests/pull/4718
- WEBhttps://usn.ubuntu.com/3790-1
- WEBhttps://usn.ubuntu.com/3790-1/
- WEBhttps://usn.ubuntu.com/3790-2
- WEBhttps://usn.ubuntu.com/3790-2/
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html