CVE-2018-20852

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-20852

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20852.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-20852

Related

Published

2019-07-13T21:15:10Z

Modified

2024-09-11T02:00:05Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

http.cookiejar.DefaultPolicy.domainreturnok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

References

Affected packages

Debian:11 / python2.7

Package

Name: python2.7
Purl: pkg:deb/debian/python2.7?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.16-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

2e789a1f1d84b343a996e8654590703b5fbdd441

Fixed

1917d9b7c266d8be9ef1b403e38411ba871a0a37