CVE-2018-20852
python2.7 - security update
Description
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
How to fix CVE-2018-20852
To remediate CVE-2018-20852, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.16-3 or later
- —upgrade to 2.7.9-2+deb8u4 or later
- —upgrade to 2.7.13-2+deb9u4 or later
- —upgrade to 3.4.2-1+deb8u6 or later
Is CVE-2018-20852 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.7.16-3
- from 0, < 2.7.9-2+deb8u4
- from 0, < 2.7.13-2+deb9u4
- from 0, < 3.4.2-1+deb8u6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |