CVE-2022-23607

Description

treq is an HTTP library inspired by requests but written on top of Twisteds Agents. Treqs request methods (treq.get, treq.post, etc.) and treq.client.HTTPClient constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session. Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it.

Risk Information

Base Score

6.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.258

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2022-23607 are fixed in Python-treq 22.1.0	Windows
Vulnerabilities CVE-2022-23607 are fixed in Python-treq for linux 22.1.0	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234