CVE-2018-20852

Priority
Description
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in
Python before 3.7.3 does not correctly validate the domain: it can be
tricked into sending existing cookies to the wrong server. An attacker may
abuse this flaw by using a server with a hostname that has another valid
hostname as a suffix (e.g., pythonicexample.com to steal cookies for
example.com). When a program uses http.cookiejar.DefaultPolicy and tries to
do an HTTP connection to an attacker-controlled server, existing cookies
can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before
3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
Assigned-to
mdeslaur
Package
Upstream:released (2.7.16-3)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.14)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.7.6-8ubuntu0.6+esm2)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.8)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.15-4ubuntu4~18.04.1)
Ubuntu 19.04 (Disco Dingo):released (2.7.16-2ubuntu0.1)
Ubuntu 19.10 (Eoan):not-affected (2.7.16-3)
Patches:
Upstream:https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13
Package
Upstream:released (3.4.10)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7+esm2)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/42ad4101d3ba7ca3c371dadf0f8880764c9f15fb
Package
Upstream:released (3.5.7)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.2-2ubuntu0~16.04.8)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b
Package
Upstream:released (3.6.9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (3.6.8-1~18.04.2)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/b241af861b37e20ad30533bc0b7e2e5491cc470f
Package
Upstream:released (3.7.3~rc1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.7.3-2)
Ubuntu 19.04 (Disco Dingo):not-affected (3.7.3-2)
Ubuntu 19.10 (Eoan):not-affected (3.7.3-2)
Patches:
Upstream:https://github.com/python/cpython/commit/e5123d81ffb3be35a1b2767d6ced1a097aaf77be
More Information

Updated: 2019-09-19 14:47:32 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)