7.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
References
-
https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36 issue-tracking
Affected products
- <0.095
Matching in nixpkgs
pkgs.perlPackages.HTTPTinyish
HTTP::Tiny compatible HTTP client wrappers
pkgs.perl5Packages.HTTPTinyish
HTTP::Tiny compatible HTTP client wrappers
pkgs.perlPackages.HTTPTinyCache
Cache HTTP::Tiny responses
pkgs.perl5Packages.HTTPTinyCache
Cache HTTP::Tiny responses
pkgs.perlPackages.TestMockHTTPTiny
Record and replay HTTP requests/responses with HTTP::Tiny
Package maintainers
-
@stigtsp Stig Palmquist <stig@stig.io>