CVE-2018-20852

python: Cookie domain check returns incorrect results

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

http.cookiejar.DefaultPolicy.domain_return_ok en Lib / http / cookiejar.py en Python en versiones anteriores a la 3.7.3 no valida correctamente el dominio: se puede engañar para que envíe las cookies existentes al servidor incorrecto. Un atacante puede abusar de este fallo al usar un servidor con un nombre de host que tiene otro nombre de host válido como sufijo (por ejemplo, pythonicexample.com para robar cookies para example.com). Cuando un programa utiliza http.cookiejar.DefaultPolicy e intenta hacer una conexión HTTP a un servidor controlado por un atacante, las cookies existentes pueden ser filtradas al atacante. Esto afecta a la versión 2.x hasta la versión 2.7.16, versión 3.x en versiones anteriores a la 3.4.10, versión 3.5.x en versiones anteriores a la 3.5.7, versión 3.6.x en versiones anteriores a la 3.6.9 y versión 3.7.x en versiones anteriores a la 3.7.3.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. This package provides the "python3" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs package, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages. Issues addressed include an incorrect parsing vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-07-13 CVE Reserved
2019-07-13 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-06-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (20)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/08/msg00040.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html	Mailing List
https://www.oracle.com/security-alerts/cpuapr2020.html	X_refsource_misc

URL	Date	SRC
https://bugs.python.org/issue35121	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3725	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3948	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76	2023-11-07
https://python-security.readthedocs.io/vuln/cookie-domain-check.html	2023-11-07
https://security.gentoo.org/glsa/202003-26	2023-11-07
https://usn.ubuntu.com/4127-1	2023-11-07
https://usn.ubuntu.com/4127-2	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-20852	2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1740347	2020-04-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 2.0 <= 2.7.16 Search vendor "Python" for product "Python" and version " >= 2.0 <= 2.7.16"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.0.0 < 3.4.10 Search vendor "Python" for product "Python" and version " >= 3.0.0 < 3.4.10"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.5.0 < 3.5.7 Search vendor "Python" for product "Python" and version " >= 3.5.0 < 3.5.7"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.6.0 < 3.6.9 Search vendor "Python" for product "Python" and version " >= 3.6.0 < 3.6.9"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.7.0 < 3.7.3 Search vendor "Python" for product "Python" and version " >= 3.7.0 < 3.7.3"		-		Affected