CVE-2018-20852

Published: 13 July 2019

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream
Released (2.7.16-3)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.7.16-3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.16-3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.15-4ubuntu4~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.8)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.6+esm2)
Patches:
Upstream: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13
python3.4
Launchpad, Ubuntu, Debian
Upstream
Released (3.4.10)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7+esm2)
Patches:
Upstream: https://github.com/python/cpython/commit/42ad4101d3ba7ca3c371dadf0f8880764c9f15fb
python3.5
Launchpad, Ubuntu, Debian
Upstream
Released (3.5.7)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.8)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b
python3.6
Launchpad, Ubuntu, Debian
Upstream
Released (3.6.9)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.8-1~18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/b241af861b37e20ad30533bc0b7e2e5491cc470f
python3.7
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.3~rc1-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.7.3-2)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/e5123d81ffb3be35a1b2767d6ced1a097aaf77be