// For flags

CVE-2022-23607

Unsafe handling of user-specified cookies in treq

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.

treq es una librería HTTP inspirada en peticiones pero escrita sobre los Agentes de Twisted. Los métodos de petición de Treq ("treq.get", "treq.post", etc.) y el constructor "treq.client.HTTPClient" aceptan cookies como diccionario. Dichas cookies no están vinculadas a un único dominio, por lo que son enviadas a *every* los dominios ("supercookies"). Esto puede potencialmente causar que se filtre información confidencial en un redireccionamiento HTTP a un dominio diferente, por ejemplo, si "https://example.com" es redirigido a "http://cloudstorageprovider.com" este último recibirá la cookie "session". Treq versiones 2021.1.0 y posteriores vinculan las cookies dadas a los métodos de petición ("treq.request", "treq.get", "HTTPClient.request", "HTTPClient.get", etc.) al origen del parámetro *url*. Se recomienda a usuarios que actualicen. Para usuarios que no puedan actualizarse En lugar de pasar un diccionario como argumento *cookies*, pase una instancia de "http.cookiejar.CookieJar" con las cookies apropiadas para el dominio y el esquema

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-02-01 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-09-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-425: Direct Request ('Forced Browsing')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Twistedmatrix
Search vendor "Twistedmatrix"
 Treq
Search vendor "Twistedmatrix" for product "Treq"
 >= 21.1.0 < 22.1.0
Search vendor "Twistedmatrix" for product "Treq" and version " >= 21.1.0 < 22.1.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected