Improper Input Validation Affecting python27:2.7/python2-pip-wheel package, versions <0:9.0.3-16.module+el8.2.0+5478+b505947e


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.52% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL8-PYTHON27-3685226
  • published26 Jul 2021
  • disclosed31 Oct 2018

Introduced: 31 Oct 2018

CVE-2018-20852  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade RHEL:8 python27:2.7/python2-pip-wheel to version 0:9.0.3-16.module+el8.2.0+5478+b505947e or higher.
This issue was patched in RHSA-2020:1605.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python27:2.7/python2-pip-wheel package and not the python27:2.7/python2-pip-wheel package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

References