Improper Input Validation Affecting python-wheel package, versions <1:0.31.1-2.module+el8.3.0+120+426d8baf


Severity

Recommended
0.0
medium
0
10

Based on Rocky Linux security rating.

Threat Intelligence

EPSS
0.52% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ROCKY8-PYTHONWHEEL-3299681
  • published3 Feb 2023
  • disclosed13 Jul 2019

Introduced: 13 Jul 2019

CVE-2018-20852  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Rocky-Linux:8 python-wheel to version 1:0.31.1-2.module+el8.3.0+120+426d8baf or higher.
This issue was patched in RLSA-2020:1605.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-wheel package and not the python-wheel package as distributed by Rocky-Linux. See How to fix? for Rocky-Linux:8 relevant fixed versions and status.

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

References