CVE-2022-23607: Unsafe handling of user-specified cookies in treq
(updated )
Treq’s request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:
treq.get('https://example.com/', cookies={'session': '1234'})
Such cookies are not bound to a single domain, and are therefore sent to every domain (“supercookies”). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.
References
- github.com/advisories/GHSA-fhpf-pp6p-55qc
- github.com/pypa/advisory-database/tree/main/vulns/treq/PYSEC-2022-26.yaml
- github.com/twisted/treq
- github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
- github.com/twisted/treq/releases/tag/release-22.1.0
- github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
- huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39
- lists.debian.org/debian-lts-announce/2022/03/msg00025.html
- nvd.nist.gov/vuln/detail/CVE-2022-23607
Detect and mitigate CVE-2022-23607 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →