Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-FHPF-PP6P-55QC
HistoryFeb 01, 2022 - 12:43 a.m.

Unsafe handling of user-specified cookies in treq

2022-02-0100:43:38
Google
osv.dev
22
treq
user-specified cookies
security advisory

EPSS

0.005

Percentile

77.0%

JSON

Impact

Treq’s request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:

treq.get('https://example.com/', cookies={'session': '1234'})

Such cookies are not bound to a single domain, and are therefore sent to every domain (“supercookies”). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.

Patches

Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter.

Workarounds

Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it:

from http.cookiejar import CookieJar
from requests.cookies import create_cookie

jar = CookieJar()
jar.add_cookie(
    create_cookie(
        name='session',
        value='1234',
        domain='example.com',
        secure=True,
    ),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')

References

  • Originally reported at huntr.dev
  • A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 (GHSA-92x2-jw7w-xvvx, CVE-2022-21712).

Related

github 2
prion 2
suse 2
osv 8
nvd 2
veracode 2
openvas 11
cvelist 2
debian 2
freebsd 1
debiancve 2
ubuntucve 2
nessus 15
cve 2
redhatcve 1
ibm 1
cbl_mariner 2
alpinelinux 1
redhat 2
ubuntu 1
gentoo 1
fedora 2
mageia 1
github
github
Unsafe handling of user-specified cookies in treq
2022-02-01 00:43:38
Cookie and header exposure in twisted
2022-02-07 22:36:00
prion
prion
Design/Logic Flaw
2022-02-01 11:15:00
Design/Logic Flaw
2022-02-07 22:15:00
suse
suse
Security update for python-treq (moderate)
2022-08-24 00:00:00
Security update for python-Twisted (important)
2022-02-18 00:00:00
osv
osv
python-treq - security update
2022-03-18 00:00:00
CVE-2022-23607
2022-02-01 11:15:11
PYSEC-2022-26
2022-02-01 11:15:00
nvd
nvd
CVE-2022-23607
2022-02-01 11:15:11
CVE-2022-21712
2022-02-07 22:15:08
veracode
veracode
Information Disclosure
2022-02-03 06:56:04
Information Disclosure
2022-02-08 09:41:27
openvas
openvas
Debian: Security Advisory (DLA-2954-1)
2022-03-19 00:00:00
Twisted Web 11.1 < 22.1 Information Disclosure Vulnerability
2022-03-22 00:00:00
openSUSE: Security Advisory for python-Twisted (openSUSE-SU-2022:0499-1)
2022-02-22 00:00:00
cvelist
cvelist
CVE-2022-23607 Unsafe handling of user-specified cookies in treq
2022-02-01 11:01:07
CVE-2022-21712 Cookie and header exposure in twisted
2022-02-07 00:00:00
debian
debian
[SECURITY] [DLA 2954-1] python-treq security update
2022-03-18 10:46:27
[SECURITY] [DLA 2927-1] twisted security update
2022-02-19 16:30:59
freebsd
freebsd
py-treq -- sensitive information leak vulnerability
2022-02-01 00:00:00
debiancve
debiancve
CVE-2022-23607
2022-02-01 11:15:11
CVE-2022-21712
2022-02-07 22:15:08
ubuntucve
ubuntucve
CVE-2022-23607
2022-02-01 00:00:00
CVE-2022-21712
2022-02-07 00:00:00
nessus
nessus
Debian DLA-2954-1 : python-treq - LTS security update
2022-03-18 00:00:00
FreeBSD : py-treq -- sensitive information leak vulnerability (181f5e49-b71d-4527-9464-d4624d69acc3)
2023-08-31 00:00:00
SUSE SLES12 Security Update : python-Twisted (SUSE-SU-2022:0734-1)
2022-03-22 00:00:00
cve
cve
CVE-2022-23607
2022-02-01 11:15:11
CVE-2022-21712
2022-02-07 22:15:08
redhatcve
redhatcve
CVE-2022-21712
2022-02-08 09:16:30
ibm
ibm
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to cookie and authorization header exposure in Twisted (CVE-2022-21712).
2023-01-12 21:59:00
cbl_mariner
cbl_mariner
CVE-2022-21712 affecting package python-twisted 20.3.0-4
2022-03-09 18:31:42
CVE-2022-21712 affecting package python-twisted for versions less than 22.2.0-1
2022-04-14 19:39:45
alpinelinux
alpinelinux
CVE-2022-21712
2022-02-07 22:15:08
redhat
redhat
(RHSA-2022:0992) Important: Red Hat OpenStack Platform 16.2 (python-twisted) security update
2022-03-23 20:19:53
(RHSA-2022:0982) Important: Red Hat OpenStack Platform 16.1 (python-twisted) security update
2022-03-24 09:39:14
ubuntu
ubuntu
Twisted vulnerabilities
2022-03-30 00:00:00
gentoo
gentoo
Twisted: Multiple Vulnerabilities
2023-01-11 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: python-twisted-22.4.0-1.fc35
2022-07-03 01:21:11
[SECURITY] Fedora 36 Update: python-twisted-22.4.0-1.fc36
2022-07-03 01:07:05
mageia
mageia
Updated python-twisted packages fix security vulnerability
2022-05-12 13:24:45

EPSS

0.005

Percentile

77.0%

JSON
Related for OSV:GHSA-FHPF-PP6P-55QC
github2prion2suse2osv8nvd2veracode2openvas11cvelist2debian2freebsd1debiancve2ubuntucve2nessus15cve2redhatcve1ibm1cbl_mariner2alpinelinux1redhat2ubuntu1gentoo1fedora2mageia1