CVE-2022-23607
Description
treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 22.2.0-0.1 |
| debian | bullseye | affected | |
| debian | forky | fixed | 22.2.0-0.1 |
| debian | sid | fixed | 22.2.0-0.1 |
| debian | trixie | fixed | 22.2.0-0.1 |
References
- https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
- https://nvd.nist.gov/vuln/detail/CVE-2022-23607
- https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
- https://github.com/pypa/advisory-database/tree/main/vulns/treq/PYSEC-2022-26.yaml
- https://github.com/twisted/treq
- https://github.com/twisted/treq/releases/tag/release-22.1.0
- https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39
- https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html
- https://security-tracker.debian.org/tracker/CVE-2022-23607
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.