Updated: 2025-08-20 02:21:30.578482
Description:
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5.0 |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 13 | python | 3.7 | 5.3 | MEDIUM | Not Vulnerable | 2025-12-09 20:16:07 | ||
| EL 10 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-10-10 11:08:36 | ||
| EL 10 | python | 3.6 | 5.3 | MEDIUM | Not Vulnerable | 2025-12-09 20:18:55 | ||
| EL 7 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-07-24 01:51:50 | ||
| EL 7 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-07-16 01:30:38 | ||
| EL 8 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-07-24 01:51:50 | ||
| EL 8 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-07-16 01:30:37 | ||
| EL 9 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-07-16 01:30:37 | ||
| EL 9 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-07-24 01:51:50 | ||
| Ubuntu 16.04 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:33:31 |