Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maHBmLXBwNnAtNTVxY80n8g
Unsafe handling of user-specified cookies in treq
Impact
Treq's request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:
treq.get('https://example.com/', cookies={'session': '1234'})
Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.
Patches
Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter.
Workarounds
Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it:
from http.cookiejar import CookieJar
from requests.cookies import create_cookie
jar = CookieJar()
jar.add_cookie(
create_cookie(
name='session',
value='1234',
domain='example.com',
secure=True,
),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')
References
- Originally reported at huntr.dev
- A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 (GHSA-92x2-jw7w-xvvx, CVE-2022-21712).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maHBmLXBwNnAtNTVxY80n8g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-fhpf-pp6p-55qc, CVE-2022-23607
References:
- https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
- https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
- https://github.com/twisted/treq/releases/tag/release-22.1.0
- https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39
- https://nvd.nist.gov/vuln/detail/CVE-2022-23607
- https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html
- https://github.com/advisories/GHSA-fhpf-pp6p-55qc
Blast Radius: 18.0
Affected Packages
pypi:treq
Dependent packages: 17Dependent repositories: 595
Downloads: 497,654 last month
Affected Version Ranges: < 22.1.0
Fixed in: 22.1.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 15.0.0, 15.1.0, 16.12.0, 17.3.0, 17.3.1, 17.7.0, 17.8.0, 18.6.0, 20.3.0, 20.4.1, 20.9.0, 21.1.0, 21.5.0
All unaffected versions: 22.1.0, 22.2.0, 23.11.0, 24.9.0, 24.9.1