Updated: 2025-08-20 02:21:30.578482
Description:
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5.0 |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.6 | 5.3 | MEDIUM | Not Vulnerable | 2026-01-27 16:42:46 | ||
| Debian 10 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:03 | ||
| Debian 10 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:02 | ||
| Debian 11 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:01 | ||
| Debian 11 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:03 | ||
| Debian 12 | python | 3.7 | 5.3 | MEDIUM | Not Vulnerable | 2025-12-09 20:16:06 | ||
| Debian 12 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:02 | ||
| Debian 12 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:25:00 | ||
| Debian 13 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-10-03 19:04:05 | ||
| Debian 13 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-10-23 12:53:35 |