http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. Upstream issue: https://bugs.python.org/issue35121 References: https://python-security.readthedocs.io/vuln/cookie-domain-check.html
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1740348] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1740349] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1740351] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1740356] Affects: fedora-all [bug 1740353] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1740352] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1740358] Affects: fedora-all [bug 1740354] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1740355]
Statement: This issue affects the versions of python as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of python3 as shipped with Red Hat Enterprise Linux 7 and 8. This issue affects the versions of python2 and python36 as shipped with Red Hat Enterprise Linux 8. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Patch 2.7 branch: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13 Patch 3.4 branch: https://github.com/python/cpython/commit/42ad4101d3ba7ca3c371dadf0f8880764c9f15fb Patch 3.5 branch: https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b Patch 3.6 branch: https://github.com/python/cpython/commit/b241af861b37e20ad30533bc0b7e2e5491cc470f Patch 3.7 branch: https://github.com/python/cpython/commit/e5123d81ffb3be35a1b2767d6ced1a097aaf77be
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20852
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3948 https://access.redhat.com/errata/RHSA-2019:3948
Mitigation: A potentially simple workaround in the absence of patch on affected versions is to set DomainStrict in the cookiepolicy that would make sure a literal match against domain. The disadvantage would be that cookie set on example.com would not be shared with subdomain which might break workflow.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1131 https://access.redhat.com/errata/RHSA-2020:1131
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1132 https://access.redhat.com/errata/RHSA-2020:1132
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1764 https://access.redhat.com/errata/RHSA-2020:1764