Information disclosure via HTTP redirect following with credential resending
Summary
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py follow HTTP redirects by default and resend user-configured auth headers and query parameters on the redirected request, allowing a compromised trusted destination or on-path attacker to receive secrets such as Authorization headers, bearer tokens, custom headers, and service keys. This issue is fixed in version 1.11.0. A flaw was found in Apprise, an open-source library for sending notifications. This flaw affects the community-maintained python-apprise package as shipped in Fedora and EPEL. Red Hat does not ship Apprise in any core Red Hat product. Red Hat severity: Low — CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). Weakness: CWE-201.
- < 1.11.0
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Mitigation checklist
- Users of python-apprise on EPEL 8 should upgrade to 1.11.0 or later, which no longer resends authentication headers or query parameters on HTTP redirects. There is no server-side workaround; avoiding notification targets that are untrusted or capable of issuing redirects reduces exposure until the package is updated.
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.