Updated: 2025-08-20 02:21:30.578482
Description:
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5.0 |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Ubuntu 16.04 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-08-15 00:40:13 | ||
| Ubuntu 18.04 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:33:31 | ||
| Ubuntu 18.04 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-08-15 00:40:12 | ||
| Ubuntu 20.04 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:33:31 | ||
| Ubuntu 20.04 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-08-15 00:40:09 | ||
| Ubuntu 22.04 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:33:30 | ||
| Ubuntu 22.04 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-08-15 00:40:14 | ||
| Ubuntu 24.04 | python | 2.7 | 5.3 | MEDIUM | Already Fixed | 2025-09-09 19:33:29 | ||
| Ubuntu 24.04 | python | 3.6 | 5.3 | MEDIUM | Already Fixed | 2025-08-15 00:40:10 |