http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-13T20:29:42

Updated: 2024-08-05T12:12:29.756Z

Reserved: 2019-07-13T00:00:00

Link: CVE-2018-20852

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-07-13T21:15:10.377

Modified: 2024-11-21T04:02:18.780

Link: CVE-2018-20852

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-10-31T00:00:00Z

Links: CVE-2018-20852 - Bugzilla