CVE-2025-46421 | THREATINT

Description

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

PUBLISHED Reserved 2025-04-24 | Published 2025-04-24 | Updated 2025-11-18 | Assigner redhat

MEDIUM: 6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Problem types

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status

unaffected

Any version before 3.6.5

affected

Default status

affected

0:3.6.5-3.el10_0 (rpm) before *

unaffected

Default status

affected

0:2.62.3-8.el8_10 (rpm) before *

unaffected

Default status

affected

0:2.62.3-8.el8_10 (rpm) before *

unaffected

Default status

affected

0:2.62.3-1.el8_2.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_4.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_4.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_4.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_6.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_6.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-2.el8_6.4 (rpm) before *

unaffected

Default status

affected

0:2.62.3-3.el8_8.4 (rpm) before *

unaffected

Default status

affected

0:2.72.0-10.el9_6.1 (rpm) before *

unaffected

Default status

affected

0:2.72.0-8.el9_0.4 (rpm) before *

unaffected

Default status

affected

0:2.72.0-8.el9_2.4 (rpm) before *

unaffected

Default status

affected

0:2.72.0-8.el9_4.4 (rpm) before *

unaffected

Default status

unknown

Default status

unknown

Timeline

2025-04-24:	Reported to Red Hat.
2025-04-24:	Made public.

References

access.redhat.com/errata/RHSA-2025:4439 (RHSA-2025:4439) vendor-advisory

access.redhat.com/errata/RHSA-2025:4440 (RHSA-2025:4440) vendor-advisory

access.redhat.com/errata/RHSA-2025:4508 (RHSA-2025:4508) vendor-advisory

access.redhat.com/errata/RHSA-2025:4538 (RHSA-2025:4538) vendor-advisory

access.redhat.com/errata/RHSA-2025:4560 (RHSA-2025:4560) vendor-advisory

access.redhat.com/errata/RHSA-2025:4568 (RHSA-2025:4568) vendor-advisory

access.redhat.com/errata/RHSA-2025:4609 (RHSA-2025:4609) vendor-advisory

access.redhat.com/errata/RHSA-2025:4624 (RHSA-2025:4624) vendor-advisory

access.redhat.com/errata/RHSA-2025:7436 (RHSA-2025:7436) vendor-advisory

access.redhat.com/errata/RHSA-2025:7505 (RHSA-2025:7505) vendor-advisory

access.redhat.com/security/cve/CVE-2025-46421 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2361962 (RHBZ#2361962) issue-tracking

gitlab.gnome.org/GNOME/libsoup/-/issues/439

cve.org (CVE-2025-46421)

nvd.nist.gov (CVE-2025-46421)

Download JSON

help @ threatint.eu