CVE-2018-20852 Information
Description
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g. pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16 3.x before 3.4.10 3.5.x before 3.5.7 3.6.x before 3.6.9 and 3.7.x before 3.7.3.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html https://access.redhat.com/errata/RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3948 https://bugs.python.org/issue35121 https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html https://lists.debian.org/debian-lts-announce/2019/08/msg00040.html https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/ https://python-security.readthedocs.io/vuln/cookie-domain-check.html https://security.gentoo.org/glsa/202003-26 https://usn.ubuntu.com/4127-1/ https://usn.ubuntu.com/4127-2/ https://www.oracle.com/security-alerts/cpuapr2020.html
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3
Share on: