The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Desired Change
Bump the version of requests from 2.19.0 to at least 2.20.0.
mmwtsn
commented
5 years ago
Background
CVE-2018-18074 was patched in requests version 2.20.0. According to the MITRE description:
Desired Change
Bump the version of requests from 2.19.0 to at least 2.20.0.