Improper Input Validation Affecting python2.7 package, versions <2.7.13-2+deb9u4


0.0
medium

Snyk CVSS

    Attack Complexity Low
Expand this section
NVD
5.3 medium
Expand this section
SUSE
5.3 medium
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN9-PYTHON27-453437
  • published 24 Jul 2019
  • disclosed 13 Jul 2019

How to fix?

Upgrade Debian:9 python2.7 to version 2.7.13-2+deb9u4 or higher.

NVD Description

Note: Versions mentioned in the description apply to the upstream python2.7 package. See How to fix? for Debian:9 relevant versions.

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.