CVE-2014-1830: Exposure of Sensitive Information to an Unauthorized Actor in Requests
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67769%
CWE
Published
5/14/2022
Updated
10/21/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
requests | pip | < 2.3.0 | 2.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper header management during redirects. The Session.resolve_redirects
function is directly responsible for processing redirects and maintaining headers between requests. Pre-2.3.0 versions didn't remove Proxy-Authorization headers when redirecting to new targets, as confirmed by the CVE description and Debian bug reports. The Session.send
method initiates the request chain that includes redirect resolution, making it a propagation point. Both functions are core components of the redirect handling mechanism where the sensitive header leakage occurred.