Bug 1740347 (CVE-2018-20852) - CVE-2018-20852 python: Cookie domain check returns incorrect results
Summary: CVE-2018-20852 python: Cookie domain check returns incorrect results
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741553 1741554 1741556 1740348 1740349 1740351 1740352 1740353 1740354 1740355 1740356 1740358 1741551 1741552 1741555 1741557 1741558 1741559 1749100 1767891
Blocks: 1740361
TreeView+ depends on / blocked
 
Reported: 2019-08-12 18:06 UTC by msiddiqu
Modified: 2020-03-31 19:25 UTC (History)
25 users (show)

Fixed In Version: Python 3.4.10, Python 3.5.7, Python 3.6.9, Python 3.7.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 12:51:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3725 None None None 2019-11-06 09:45:30 UTC
Red Hat Product Errata RHSA-2019:3948 None None None 2019-11-25 09:24:01 UTC
Red Hat Product Errata RHSA-2020:1131 None None None 2020-03-31 19:25:39 UTC
Red Hat Product Errata RHSA-2020:1132 None None None 2020-03-31 19:25:54 UTC

Description msiddiqu 2019-08-12 18:06:43 UTC
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 

Upstream issue: 

https://bugs.python.org/issue35121

References:  

https://python-security.readthedocs.io/vuln/cookie-domain-check.html

Comment 1 msiddiqu 2019-08-12 18:14:16 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1740348]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1740349]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1740351]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1740356]
Affects: fedora-all [bug 1740353]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1740352]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1740358]
Affects: fedora-all [bug 1740354]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1740355]

Comment 4 Stefan Cornelius 2019-08-15 12:31:44 UTC
Statement:

This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of python3 as shipped with Red Hat Enterprise Linux 7 and 8. This issue affects the versions of python2 and python36 as shipped with Red Hat Enterprise Linux 8.

Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 6 errata-xmlrpc 2019-11-06 09:45:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725

Comment 7 Product Security DevOps Team 2019-11-06 12:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20852

Comment 8 errata-xmlrpc 2019-11-25 09:23:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3948 https://access.redhat.com/errata/RHSA-2019:3948

Comment 9 Huzaifa S. Sidhpurwala 2020-02-11 03:31:51 UTC
Mitigation:

A potentially simple workaround in the absence of patch on affected versions is to set DomainStrict in the cookiepolicy that would make sure a literal match against domain. The disadvantage would be that cookie set on example.com would not be shared with subdomain which might break workflow.

Comment 10 errata-xmlrpc 2020-03-31 19:25:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1131 https://access.redhat.com/errata/RHSA-2020:1131

Comment 11 errata-xmlrpc 2020-03-31 19:25:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1132 https://access.redhat.com/errata/RHSA-2020:1132


Note You need to log in before you can comment on or make changes to this bug.