Open staging-whitesource-for-github-com[bot] opened 4 hours ago
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/c0/0f/a911a44c89ba01b23d8fe3defbdfca1e962de6f11a11da32658902cdc2a4/requests-2.8.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241027232607_XHVFQR/python_OAMJUI/202410272326071/env/lib/python3.8/site-packages/requests-2.8.1.dist-info
Dependency Hierarchy: - :x: **requests-2.8.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 83e83af6a33e47edb742829dec5a126039d06dbe
Found in base branch: main
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Publish Date: 2018-10-09
URL: CVE-2018-18074
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-18074
Release Date: 2018-10-09
Fix Resolution: 2.20.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-18074 - High Severity Vulnerability
Vulnerable Library - requests-2.8.1-py2.py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/c0/0f/a911a44c89ba01b23d8fe3defbdfca1e962de6f11a11da32658902cdc2a4/requests-2.8.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241027232607_XHVFQR/python_OAMJUI/202410272326071/env/lib/python3.8/site-packages/requests-2.8.1.dist-info
Dependency Hierarchy: - :x: **requests-2.8.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 83e83af6a33e47edb742829dec5a126039d06dbe
Found in base branch: main
Vulnerability Details
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Publish Date: 2018-10-09
URL: CVE-2018-18074
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-18074
Release Date: 2018-10-09
Fix Resolution: 2.20.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.