Miggo Logo

CVE-2014-1830: Exposure of Sensitive Information to an Unauthorized Actor in Requests

5

CVSS Score

Basic Information

EPSS Score
0.67769%
Published
5/14/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
requestspip< 2.3.02.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper header management during redirects. The Session.resolve_redirects function is directly responsible for processing redirects and maintaining headers between requests. Pre-2.3.0 versions didn't remove Proxy-Authorization headers when redirecting to new targets, as confirmed by the CVE description and Debian bug reports. The Session.send method initiates the request chain that includes redirect resolution, making it a propagation point. Both functions are core components of the redirect handling mechanism where the sensitive header leakage occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*qu*sts (*k* pyt*on-r*qu*sts) ***or* *.*.* *llows r*mot* s*rv*rs to o*t*in s*nsitiv* in*orm*tion *y r***in* t** Proxy-*ut*oriz*tion *****r in * r**ir**t** r*qu*st.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *****r m*n***m*nt *urin* r**ir**ts. T** `S*ssion.r*solv*_r**ir**ts` *un*tion is *ir**tly r*sponsi*l* *or pro**ssin* r**ir**ts *n* m*int*inin* *****rs **tw**n r*qu*sts. Pr*-*.*.* v*rsions *i*n't r*mov* Proxy-*ut*o