CVE-2018-20852
Published: 13 July 2019
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
Priority
CVSS 3 base score: 5.3
Status
Package | Release | Status |
---|---|---|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.7.15-4ubuntu4~18.04.1)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Released
(2.7.16-2ubuntu0.1)
|
|
eoan |
Not vulnerable
(2.7.16-3)
|
|
focal |
Not vulnerable
(2.7.16-3)
|
|
groovy |
Not vulnerable
(2.7.16-3)
|
|
hirsute |
Not vulnerable
(2.7.16-3)
|
|
impish |
Not vulnerable
(2.7.16-3)
|
|
jammy |
Not vulnerable
(2.7.16-3)
|
|
precise |
Released
(2.7.3-0ubuntu3.14)
|
|
trusty |
Released
(2.7.6-8ubuntu0.6+esm2)
|
|
upstream |
Released
(2.7.16-3)
|
|
xenial |
Released
(2.7.12-1ubuntu0~16.04.8)
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Released
(3.4.3-1ubuntu1~14.04.7+esm2)
|
|
upstream |
Released
(3.4.10)
|
|
xenial |
Does not exist
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Released
(3.5.7)
|
|
xenial |
Released
(3.5.2-2ubuntu0~16.04.8)
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.8-1~18.04.2)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.6.9)
|
|
xenial |
Does not exist
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.7.3-2)
|
cosmic |
Not vulnerable
(3.7.3-2)
|
|
disco |
Not vulnerable
(3.7.3-2)
|
|
eoan |
Not vulnerable
(3.7.3-2)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(3.7.3~rc1-1)
|
|
xenial |
Does not exist
|