Описание
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
Отчет
This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of python3 as shipped with Red Hat Enterprise Linux 7 and 8. This issue affects the versions of python2 and python36 as shipped with Red Hat Enterprise Linux 8. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Меры по смягчению последствий
A potentially simple workaround in the absence of patch on affected versions is to set DomainStrict in the cookiepolicy that would make sure a literal match against domain. The disadvantage would be that cookie set on example.com would not be shared with subdomain which might break workflow.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Out of support scope | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Quay 3 | python27 | Not affected | ||
| Red Hat Ansible Tower 3.5 for RHEL 7 | ansible-tower-35/ansible-tower | Fixed | RHBA-2020:1539 | 22.04.2020 |
| Red Hat Ansible Tower 3.6 for RHEL 7 | ansible-tower-36/ansible-tower | Fixed | RHBA-2020:1540 | 22.04.2020 |
| Red Hat Enterprise Linux 7 | python | Fixed | RHSA-2020:1131 | 31.03.2020 |
| Red Hat Enterprise Linux 7 | python3 | Fixed | RHSA-2020:1132 | 31.03.2020 |
| Red Hat Enterprise Linux 8 | python27 | Fixed | RHSA-2020:1605 | 28.04.2020 |
| Red Hat Enterprise Linux 8 | python3 | Fixed | RHSA-2020:1764 | 28.04.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py ...
EPSS
5.3 Medium
CVSS3