CVE-2022-23607 Information
Description
treq is an HTTP library inspired by requests but written on top of Twisted’s Agents. Treq’s request methods (treq.get treq.post etc.) and treq.client.HTTPClient constructor accept cookies as a dictionary. Such cookies are not bound to a single domain and are therefore sent to every domain (\supercookies). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain. e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session. Treq 2021.1.0 and later bind cookies given to request methods (treq.request treq.get HTTPClient.request HTTPClient.get etc.) to the origin of the url parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the cookies argument pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Reference
https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html
treq
is
an
HTTP
library
inspired
by
requests
but
written
on
top
of
Twisted’s
Agents.
Treq’s
request
methods
(treq.get
treq.post
etc.)
and
treq.client.HTTPClient
constructor
accept
cookies
as
a
dictionary.
Such
cookies
are
not
bound
to
a
single
domain
and
are
therefore
sent
to
every
domain
(\supercookies).
This
can
potentially
cause
sensitive
information
to
leak
upon
an
HTTP
redirect
to
a
different
domain.
e.g.
should
[***https://example.com***](https://example.com) redirect to http://cloudstorageprovider.com***](http://cloudstorageprovider.com)
the
latter
will
receive
the
cookie
session.
Treq
2021.1.0
and
later
bind
cookies
given
to
request
methods
(treq.request
treq.get
HTTPClient.request
HTTPClient.get
etc.)
to
the
origin
of
the
url
parameter.
Users
are
advised
to
upgrade.
For
users
unable
to
upgrade
Instead
of
passing
a
dictionary
as
the
cookies
argument
pass
a
[***http.cookiejar.CookieJar
instance
with
properly
domain-
and
scheme-scoped
cookies
in
it.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
7.4
Share on: