CVE-2018-20852 — Improper Input Validation in Python
Severity
5.3MEDIUMNVD
OSV7.6OSV7.5
EPSS
2.0%
top 16.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 13
Latest updateJul 11
Description
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existin…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages2 packages
🔴Vulnerability Details
5OSV▶
python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11
📋Vendor Advisories
6Oracle▶
Oracle Oracle Communications Applications Risk Matrix: VSP Webserver (Python) — CVE-2018-20852↗2020-04-15
💬Community
10Bugzilla▶
CVE-2018-20852 python34: python: cookie domain check returns incorrect results [epel-all]↗2019-08-12
Bugzilla▶
CVE-2018-20852 python35: python: cookie domain check returns incorrect results [fedora-all]↗2019-08-12
Bugzilla▶
CVE-2018-20852 python2: python: cookie domain check returns incorrect results [fedora-all]↗2019-08-12
Bugzilla▶
CVE-2018-20852 python36: python: cookie domain check returns incorrect results [fedora-all]↗2019-08-12