search

gyungdal / cSync

3D 인체 스캔을 위한 카메라 동조기
2 stars 3 forks source link

CVE-2018-20060 (High) detected in requests-v2.9.1 - autoclosed #16

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 4 years ago

CVE-2018-20060 - High Severity Vulnerability

Vulnerable Library - requestsv2.9.1

A simple, yet elegant HTTP library.

Library home page: https://github.com/kennethreitz/requests.git

Found in HEAD commit: c8faca656439c1f8b6892f9b06aaeb3200af5c6e

Library Source Files (33)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

- /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/ssl_.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/utils.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/models.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/api.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/cookies.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/request.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/adapters.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/request.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/connection.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/retry.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/exceptions.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/response.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/hooks.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/sessions.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/auth.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/url.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/timeout.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/response.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/appengine.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/ntlmpool.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/poolmanager.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/pyopenssl.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/filepost.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/fields.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/exceptions.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/connection.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/status_codes.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/_collections.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/connectionpool.py

Vulnerability Details

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Publish Date: 2018-12-11

URL: CVE-2018-20060

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060

Fix Resolution: 1.23

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.