CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
62.0%
treq is an HTTP library inspired by requests but written on top of
Twisted’s Agents. Treq’s request methods (treq.get
, treq.post
, etc.)
and treq.client.HTTPClient
constructor accept cookies as a dictionary.
Such cookies are not bound to a single domain, and are therefore sent to
every domain (“supercookies”). This can potentially cause sensitive
information to leak upon an HTTP redirect to a different domain., e.g.
should https://example.com
redirect to http://cloudstorageprovider.com
the latter will receive the cookie session
. Treq 2021.1.0 and later bind
cookies given to request methods (treq.request
, treq.get
,
HTTPClient.request
, HTTPClient.get
, etc.) to the origin of the url
parameter. Users are advised to upgrade. For users unable to upgrade
Instead of passing a dictionary as the cookies argument, pass a
http.cookiejar.CookieJar
instance with properly domain- and scheme-scoped
cookies in it.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-treq | < any | UNKNOWN |
ubuntu | 20.04 | noarch | python-treq | < any | UNKNOWN |
ubuntu | 22.04 | noarch | python-treq | < any | UNKNOWN |
ubuntu | 24.04 | noarch | python-treq | < any | UNKNOWN |
github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2 (release-22.1.0)
github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
launchpad.net/bugs/cve/CVE-2022-23607
nvd.nist.gov/vuln/detail/CVE-2022-23607
security-tracker.debian.org/tracker/CVE-2022-23607
www.cve.org/CVERecord?id=CVE-2022-23607
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
62.0%