Open staging-whitesource-for-github-com[bot] opened 3 hours ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2018-18074 - High Severity Vulnerability
Vulnerable Library - requests-2.19.1-py2.py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241117234241_TJZVGZ/python_ISNRPD/202411172342411/env/lib/python3.8/site-packages/requests-2.19.1.dist-info
Dependency Hierarchy: - :x: **requests-2.19.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: cc600add3aeaf9e8fcebac62a35b96474039f8e7
Found in base branch: main
Vulnerability Details
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Publish Date: 2018-10-09
URL: CVE-2018-18074
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-18074
Release Date: 2018-10-09
Fix Resolution: 2.20.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.