Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2018-18074

CVE-2018-18074:
Insufficiently Protected Credentials in Requests

7.5

CVSS Score

Basic Information

CVE ID
CVE-2018-18074
GHSA ID
GHSA-x84v-xcm2-53pg
EPSS Score
-
CWE
CWE-522
Published
10/29/2018
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
requestspip<= 2.19.12.20.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper Authorization header handling during redirects. The commit diff shows:- The original rebuild_auth only checked hostname changes- The patch introduced should_strip_auth to check scheme/port changes- Tests were added for https->http redirect casesThe pre-patch rebuild_auth and resolve_redirects functions failed to account for scheme downgrades on same-host redirects, making them the vulnerable components. The high confidence comes from direct evidence in the patch changes and CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** R*qu*sts p**k*** t*rou** *.**.* ***or* ****-**-** *or Pyt*on s*n*s *n *TTP *ut*oriz*tion *****r to *n *ttp URI upon r***ivin* * s*m*-*ostn*m* *ttps-to-*ttp r**ir**t, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *is*ov*r *r***nti*ls *y sni**in* t

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ut*oriz*tion *****r **n*lin* *urin* r**ir**ts. T** *ommit *i** s*ows:- T** ori*in*l r**uil*_*ut* only ****k** *ostn*m* ***n**s- T** p*t** intro*u*** s*oul*_strip_*ut* to ****k s***m*/port ***n**s- T*sts w*r* *