Candidate: CVE-2022-23607
PublicDate: 2022-02-01 11:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23607
 https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
 https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2 (release-22.1.0)
Description:
 treq is an HTTP library inspired by requests but written on top of
 Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.)
 and `treq.client.HTTPClient` constructor accept cookies as a dictionary.
 Such cookies are not bound to a single domain, and are therefore sent to
 *every* domain ("supercookies"). This can potentially cause sensitive
 information to leak upon an HTTP redirect to a different domain., e.g.
 should `https://example.com` redirect to `http://cloudstorageprovider.com`
 the latter will receive the cookie `session`. Treq 2021.1.0 and later bind
 cookies given to request methods (`treq.request`, `treq.get`,
 `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url*
 parameter. Users are advised to upgrade. For users unable to upgrade
 Instead of passing a dictionary as the *cookies* argument, pass a
 `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped
 cookies in it.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005041
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N [7.4 HIGH]


Patches_python-treq:
upstream_python-treq: needs-triage
trusty_python-treq: ignored (out of standard support)
xenial_python-treq: ignored (out of standard support)
bionic_python-treq: needs-triage
focal_python-treq: needs-triage
impish_python-treq: needs-triage
jammy_python-treq: needs-triage
devel_python-treq: needs-triage