Bug 1216275 (CVE-2018-25091)

Summary: VUL-0: CVE-2018-25091: python-urllib3: urllib3 does not remove the authorization HTTP header when following a cross-origin redirect
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: daniel.garcia, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381890/
Whiteboard: CVSSv3.1:SUSE:CVE-2018-25091:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-16 10:09:02 UTC 
urllib3 before 1.24.2 does not remove the authorization HTTP header when
following a cross-origin redirect (i.e., a redirect that differs in host, port,
or scheme). This can allow for credentials in the authorization header to be
exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists
because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25091
https://github.com/urllib3/urllib3/pull/1511
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
Comment 1 Thomas Leroy 2023-10-16 12:08:46 UTC 
A few codestreams remain affected:
- SUSE:SLE-12-SP3:Update:Products:Teradata:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-15:Update

The other ones are already fixed.
Comment 5 Maintenance Automation 2023-11-02 20:30:06 UTC 
SUSE-SU-2023:4352-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1215968, 1216275, 1216377
CVE References: CVE-2018-25091, CVE-2023-43804, CVE-2023-45803
Sources used:
SUSE OpenStack Cloud 9 (src): python-urllib3-1.23-3.25.1
SUSE OpenStack Cloud Crowbar 9 (src): python-urllib3-1.23-3.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.