Lucene search
This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2019-1877.NASLHistorySep 16, 2019 - 12:00 a.m.
EulerOS 2.0 SP5 : python-urllib3 (EulerOS-SA-2019-1877)
2019-09-1600:00:00
This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
83.8%
According to the version of the python-urllib3 package installed, the EulerOS installation on the remote host is affected by the following vulnerability :
- urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.(CVE-2018-20060)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(128800);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/26");
script_cve_id("CVE-2018-20060");
script_name(english:"EulerOS 2.0 SP5 : python-urllib3 (EulerOS-SA-2019-1877)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing a security update.");
script_set_attribute(attribute:"description", value:
"According to the version of the python-urllib3 package installed, the
EulerOS installation on the remote host is affected by the following
vulnerability :
- urllib3 before version 1.23 does not remove the
Authorization HTTP header when following a cross-origin
redirect (i.e., a redirect that differs in host, port,
or scheme). This can allow for credentials in the
Authorization header to be exposed to unintended hosts
or transmitted in cleartext.(CVE-2018-20060)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1877
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ecc57f03");
script_set_attribute(attribute:"solution", value:
"Update the affected python-urllib3 package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20060");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2019/09/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-urllib3");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["python-urllib3-1.10.2-2.h2.eulerosv2r7"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-urllib3");
}
Related
f5
f5
K000133668 : Python urllib3 vulnerability CVE-2018-20060
2023-04-27 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for python-urllib3 (EulerOS-SA-2019-1936)
2020-01-23 00:00:00
Fedora Update for python-urllib3 FEDORA-2019-8560719e80
2019-04-30 00:00:00
Fedora Update for python-urllib3 FEDORA-2019-a6c56f9756
2019-05-07 00:00:00
redhatcve
redhatcve
CVE-2018-20060
2021-08-22 13:20:42
CVE-2018-25091
2023-10-16 04:16:46
fedora
fedora
[SECURITY] Fedora 30 Update: python-urllib3-1.24.2-1.fc30
2019-04-27 21:35:01
[SECURITY] Fedora 29 Update: python-urllib3-1.24.2-1.fc29
2019-04-23 20:15:33
[SECURITY] Fedora 28 Update: python-urllib3-1.24.2-1.fc28
2019-04-30 01:41:11
osv
osv
PYSEC-2018-32
2018-12-11 17:29:00
Exposure of Sensitive Information to an Unauthorized Actor in urllib3
2018-12-12 15:52:07
CVE-2018-20060
2018-12-11 17:29:00
amazon
amazon
Low: python-urllib3
2019-05-16 21:46:00
Low: python-urllib3
2019-06-11 22:41:00
Medium: python-urllib3
2020-06-26 22:55:00
nessus
nessus
Amazon Linux 2 : python-urllib3 (ALAS-2019-1211)
2019-05-21 00:00:00
Fedora 30 : python-urllib3 (2019-6afaa38e7b)
2019-05-02 00:00:00
Amazon Linux 2 : python-urllib3 (ALAS-2020-1446)
2020-07-02 00:00:00
debiancve
debiancve
CVE-2018-20060
2018-12-11 17:29:00
CVE-2018-25091
2023-10-15 19:15:09
ubuntucve
ubuntucve
CVE-2018-20060
2018-12-11 00:00:00
CVE-2018-25091
2023-10-15 00:00:00
prion
prion
Authorization
2018-12-11 17:29:00
Authorization
2023-10-15 19:15:00
cvelist
cvelist
CVE-2018-20060
2018-12-11 17:00:00
CVE-2018-25091
2023-10-15 00:00:00
nvd
nvd
CVE-2018-20060
2018-12-11 17:29:00
CVE-2018-25091
2023-10-15 19:15:09
veracode
veracode
Information Disclosure
2018-12-12 03:50:22
Authorization HTTP Header Leakage
2023-10-16 12:50:32
cve
cve
CVE-2018-20060
2018-12-11 17:29:00
CVE-2018-25091
2023-10-15 19:15:09
github
github
Exposure of Sensitive Information to an Unauthorized Actor in urllib3
2018-12-12 15:52:07
Authorization Header forwarded on redirect
2023-10-15 21:30:26
oraclelinux
oraclelinux
python-urllib3 security update
2019-08-13 00:00:00
python-virtualenv security update
2020-03-18 00:00:00
python-virtualenv security update
2020-05-19 00:00:00
redhat
redhat
(RHSA-2019:2272) Moderate: python-urllib3 security update
2019-08-06 08:19:27
(RHSA-2020:2081) Moderate: python-virtualenv security update
2020-05-12 14:03:20
(RHSA-2020:0851) Moderate: python-virtualenv security update
2020-03-17 13:10:32
centos
centos
python security update
2019-08-30 04:04:34
python security update
2020-03-25 19:10:05
python3 security update
2020-03-18 19:33:57
freebsd
freebsd
urllib3 -- multiple vulnerabilities
2018-12-11 00:00:00
mageia
mageia
Updated python-urllib3 packages fix security vulnerability
2019-09-07 00:09:08
ubuntu
ubuntu
urllib3 vulnerabilities
2019-05-21 00:00:00
debian
debian
[SECURITY] [DLA 2686-1] python-urllib3 security update
2021-06-15 18:34:44
[SECURITY] [DLA 3610-1] python-urllib3 security update
2023-10-08 11:06:20
suse
suse
Security update for python-urllib3 (moderate)
2019-09-14 00:00:00
photon
photon
almalinux
almalinux
Moderate: python27:2.7 security, bug fix, and enhancement update
2020-04-28 08:55:59
rocky
rocky
python27:2.7 security, bug fix, and enhancement update
2020-04-28 08:55:59
ibm
ibm
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.01 Low
EPSS
Percentile
83.8%
Related for EULEROS_SA-2019-1877.NASL