Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maHBmLXBwNnAtNTVxY80n8g
Unsafe handling of user-specified cookies in treq
Impact
Treq's request methods (treq.get
, treq.post
, HTTPClient.request
, HTTPClient.get
, etc.) accept cookies as a dictionary, for example:
treq.get('https://example.com/', cookies={'session': '1234'})
Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com
redirect to http://cloudstorageprovider.com
the latter will receive the cookie session
.
Patches
Treq 2021.1.0 and later bind cookies given to request methods (treq.request
, treq.get
, HTTPClient.request
, HTTPClient.get
, etc.) to the origin of the url parameter.
Workarounds
Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar
instance with properly domain- and scheme-scoped cookies in it:
from http.cookiejar import CookieJar
from requests.cookies import create_cookie
jar = CookieJar()
jar.add_cookie(
create_cookie(
name='session',
value='1234',
domain='example.com',
secure=True,
),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')
References
- Originally reported at huntr.dev
- A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 (GHSA-92x2-jw7w-xvvx, CVE-2022-21712).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHBmLXBwNnAtNTVxY80n8g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-fhpf-pp6p-55qc, CVE-2022-23607
References:
- https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
- https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
- https://github.com/twisted/treq/releases/tag/release-22.1.0
- https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39
- https://nvd.nist.gov/vuln/detail/CVE-2022-23607
- https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html
- https://github.com/advisories/GHSA-fhpf-pp6p-55qc
Blast Radius: 18.0
Affected Packages
pypi:treq
Dependent packages: 17Dependent repositories: 595
Downloads: 497,654 last month
Affected Version Ranges: < 22.1.0
Fixed in: 22.1.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 15.0.0, 15.1.0, 16.12.0, 17.3.0, 17.3.1, 17.7.0, 17.8.0, 18.6.0, 20.3.0, 20.4.1, 20.9.0, 21.1.0, 21.5.0
All unaffected versions: 22.1.0, 22.2.0, 23.11.0, 24.9.0, 24.9.1