{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-27T00:00:00", "descriptions": [{"lang": "en", "value": "Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-21T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"}, {"name": "MDVSA-2015:133", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"}, {"name": "USN-2382-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2382-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kennethreitz/requests/issues/1885"}, {"name": "DSA-3146", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3146"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0409.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1829", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108", "refsource": "CONFIRM", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"}, {"name": "MDVSA-2015:133", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"}, {"name": "USN-2382-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2382-1"}, {"name": "https://github.com/kennethreitz/requests/issues/1885", "refsource": "CONFIRM", "url": "https://github.com/kennethreitz/requests/issues/1885"}, {"name": "DSA-3146", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3146"}, {"name": "http://advisories.mageia.org/MGASA-2014-0409.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0409.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:50:11.165Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"}, {"name": "MDVSA-2015:133", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"}, {"name": "USN-2382-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2382-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kennethreitz/requests/issues/1885"}, {"name": "DSA-3146", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3146"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0409.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1829", "datePublished": "2014-10-15T14:00:00", "dateReserved": "2014-01-30T00:00:00", "dateUpdated": "2024-08-06T09:50:11.165Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*", "matchCriteriaId": "79441BF0-F885-4440-B795-5F59EFBD53BE", "versionEndIncluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F805A106-9A6F-48E7-8582-D3C5A26DFC11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request."}, {"lang": "es", "value": "Requests(tambi\u00e9n conocido como python-requests) anterior a 2.3.0 permite a atacantes remotos obtener una contrase\u00f1a netrc leyendo la cabecera 'Authorization' en una petici\u00f3n de redirecci\u00f3n."}], "id": "CVE-2014-1829", "lastModified": "2016-08-30T17:11:36.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-15T14:55:05.400", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://advisories.mageia.org/MGASA-2014-0409.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3146"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:133"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2382-1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108"}, {"source": "cve@mitre.org", "tags": ["Patch", "Issue Tracking"], "url": "https://github.com/kennethreitz/requests/issues/1885"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-requests: redirect can expose netrc password", "id": "1046626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1046626"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-285->CWE-201", "details": ["Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request."], "name": "CVE-2014-1829", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-requests", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Will not fix", "package_name": "python-requests", "product_name": "Red Hat OpenStack Platform 3"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Affected", "package_name": "python-requests", "product_name": "Red Hat OpenStack Platform 4"}], "public_date": "2013-12-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-1829\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1829"], "statement": "This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 7 as they included a fix for this issue at GA.\nRed Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low", "upstream_fix": "python-requests 2.3.0"}