cvelistv5 - cve-2022-23607

CVE-2022-23607 (GCVE-0-2022-23607)

Vulnerability from cvelistv5 – Published: 2022-02-01 11:01 – Updated: 2024-08-03 03:43

Summary

treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	twisted	treq	Affected: < 22.1.0

FKIE_CVE-2022-23607

Vulnerability from fkie_nvd - Published: 2022-02-01 11:15 - Updated: 2024-11-21 06:48

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc	Mitigation, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc	Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	twistedmatrix	treq	*
	debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:twistedmatrix:treq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D318278-8A95-455E-A274-073710711201",
              "versionEndExcluding": "22.1.0",
              "versionStartIncluding": "21.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it."
    },
    {
      "lang": "es",
      "value": "treq es una librer\u00eda HTTP inspirada en peticiones pero escrita sobre los Agentes de Twisted. Los m\u00e9todos de petici\u00f3n de Treq (\"treq.get\", \"treq.post\", etc.) y el constructor \"treq.client.HTTPClient\" aceptan cookies como diccionario. Dichas cookies no est\u00e1n vinculadas a un \u00fanico dominio, por lo que son enviadas a *every* los dominios (\"supercookies\"). Esto puede potencialmente causar que se filtre informaci\u00f3n confidencial en un redireccionamiento HTTP a un dominio diferente, por ejemplo, si \"https://example.com\" es redirigido a \"http://cloudstorageprovider.com\" este \u00faltimo recibir\u00e1 la cookie \"session\". Treq versiones 2021.1.0 y posteriores vinculan las cookies dadas a los m\u00e9todos de petici\u00f3n (\"treq.request\", \"treq.get\", \"HTTPClient.request\", \"HTTPClient.get\", etc.) al origen del par\u00e1metro *url*. Se recomienda a usuarios que actualicen. Para usuarios que no puedan actualizarse En lugar de pasar un diccionario como argumento *cookies*, pase una instancia de \"http.cookiejar.CookieJar\" con las cookies apropiadas para el dominio y el esquema"
    }
  ],
  "id": "CVE-2022-23607",
  "lastModified": "2024-11-21T06:48:55.230",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-02-01T11:15:11.557",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-425"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-23607

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-23607

Aliases

CVE-2022-23607

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23607",
    "description": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
    "id": "GSD-2022-23607",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-23607.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-23607"
      ],
      "details": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
      "id": "GSD-2022-23607",
      "modified": "2023-12-13T01:19:35.298804Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23607",
        "STATE": "PUBLIC",
        "TITLE": "Unsafe handling of user-specified cookies in treq"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "treq",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 22.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "twisted"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc",
            "refsource": "CONFIRM",
            "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
          },
          {
            "name": "[debian-lts-announce] 20220318 [SECURITY] [DLA 2954-1] python-treq security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-fhpf-pp6p-55qc",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c22.1.0",
          "affected_versions": "All versions before 22.1.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-02-01",
          "description": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
          "fixed_versions": [
            "22.1.0"
          ],
          "identifier": "CVE-2022-23607",
          "identifiers": [
            "GHSA-fhpf-pp6p-55qc",
            "CVE-2022-23607"
          ],
          "not_impacted": "All versions starting from 22.1.0",
          "package_slug": "pypi/treq",
          "pubdate": "2022-02-01",
          "solution": "Upgrade to version 22.1.0 or above.",
          "title": "Unsafe handling of user-specified cookies in treq",
          "urls": [
            "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc",
            "https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2",
            "https://github.com/twisted/treq/releases/tag/release-22.1.0",
            "https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39",
            "https://github.com/advisories/GHSA-fhpf-pp6p-55qc"
          ],
          "uuid": "d80f2ea8-4ff2-4050-aa54-65e003d414f3"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:twistedmatrix:treq:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1D318278-8A95-455E-A274-073710711201",
                    "versionEndExcluding": "22.1.0",
                    "versionStartIncluding": "21.1.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it."
          },
          {
            "lang": "es",
            "value": "treq es una librer\u00eda HTTP inspirada en peticiones pero escrita sobre los Agentes de Twisted. Los m\u00e9todos de petici\u00f3n de Treq (\"treq.get\", \"treq.post\", etc.) y el constructor \"treq.client.HTTPClient\" aceptan cookies como diccionario. Dichas cookies no est\u00e1n vinculadas a un \u00fanico dominio, por lo que son enviadas a *every* los dominios (\"supercookies\"). Esto puede potencialmente causar que se filtre informaci\u00f3n confidencial en un redireccionamiento HTTP a un dominio diferente, por ejemplo, si \"https://example.com\" es redirigido a \"http://cloudstorageprovider.com\" este \u00faltimo recibir\u00e1 la cookie \"session\". Treq versiones 2021.1.0 y posteriores vinculan las cookies dadas a los m\u00e9todos de petici\u00f3n (\"treq.request\", \"treq.get\", \"HTTPClient.request\", \"HTTPClient.get\", etc.) al origen del par\u00e1metro *url*. Se recomienda a usuarios que actualicen. Para usuarios que no puedan actualizarse En lugar de pasar un diccionario como argumento *cookies*, pase una instancia de \"http.cookiejar.CookieJar\" con las cookies apropiadas para el dominio y el esquema"
          }
        ],
        "id": "CVE-2022-23607",
        "lastModified": "2024-01-26T18:58:08.987",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 8.6,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": true
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2022-02-01T11:15:11.557",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mitigation",
              "Third Party Advisory"
            ],
            "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-425"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-200"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

OPENSUSE-SU-2022:10098-1

Vulnerability from csaf_opensuse - Published: 2022-08-24 04:01 - Updated: 2022-08-24 04:01

Summary

Security update for python-treq

Notes

Title of the patch

Security update for python-treq

Description of the patch

This update for python-treq fixes the following issues: - Fixed CVE-2022-23607 (boo#1195432) binding cookies to the domain.

Patchnames

openSUSE-2022-10098

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-treq",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-treq fixes the following issues:\n\n- Fixed CVE-2022-23607 (boo#1195432) binding cookies to the domain.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2022-10098",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10098-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:10098-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTECPNLPX6QR5JLJ2KQYTBYWNU6ZRUSG/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:10098-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTECPNLPX6QR5JLJ2KQYTBYWNU6ZRUSG/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1195432",
        "url": "https://bugzilla.suse.com/1195432"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23607 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23607/"
      }
    ],
    "title": "Security update for python-treq",
    "tracking": {
      "current_release_date": "2022-08-24T04:01:23Z",
      "generator": {
        "date": "2022-08-24T04:01:23Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:10098-1",
      "initial_release_date": "2022-08-24T04:01:23Z",
      "revision_history": [
        {
          "date": "2022-08-24T04:01:23Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-treq-20.3.0-bp153.2.3.1.noarch",
                "product": {
                  "name": "python2-treq-20.3.0-bp153.2.3.1.noarch",
                  "product_id": "python2-treq-20.3.0-bp153.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-treq-20.3.0-bp153.2.3.1.noarch",
                "product": {
                  "name": "python3-treq-20.3.0-bp153.2.3.1.noarch",
                  "product_id": "python3-treq-20.3.0-bp153.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP3",
                "product": {
                  "name": "SUSE Package Hub 15 SP3",
                  "product_id": "SUSE Package Hub 15 SP3"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-treq-20.3.0-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:python2-treq-20.3.0-bp153.2.3.1.noarch"
        },
        "product_reference": "python2-treq-20.3.0-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-treq-20.3.0-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
          "product_id": "SUSE Package Hub 15 SP3:python3-treq-20.3.0-bp153.2.3.1.noarch"
        },
        "product_reference": "python3-treq-20.3.0-bp153.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-treq-20.3.0-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python2-treq-20.3.0-bp153.2.3.1.noarch"
        },
        "product_reference": "python2-treq-20.3.0-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-treq-20.3.0-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:python3-treq-20.3.0-bp153.2.3.1.noarch"
        },
        "product_reference": "python3-treq-20.3.0-bp153.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-23607",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23607"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP3:python2-treq-20.3.0-bp153.2.3.1.noarch",
          "SUSE Package Hub 15 SP3:python3-treq-20.3.0-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:python2-treq-20.3.0-bp153.2.3.1.noarch",
          "openSUSE Leap 15.3:python3-treq-20.3.0-bp153.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23607",
          "url": "https://www.suse.com/security/cve/CVE-2022-23607"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195432 for CVE-2022-23607",
          "url": "https://bugzilla.suse.com/1195432"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP3:python2-treq-20.3.0-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:python3-treq-20.3.0-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:python2-treq-20.3.0-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:python3-treq-20.3.0-bp153.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP3:python2-treq-20.3.0-bp153.2.3.1.noarch",
            "SUSE Package Hub 15 SP3:python3-treq-20.3.0-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:python2-treq-20.3.0-bp153.2.3.1.noarch",
            "openSUSE Leap 15.3:python3-treq-20.3.0-bp153.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-08-24T04:01:23Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23607"
    }
  ]
}

OPENSUSE-SU-2024:11806-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

python310-treq-22.1.0-1.1 on GA media

Notes

Title of the patch

python310-treq-22.1.0-1.1 on GA media

Description of the patch

These are all security issues fixed in the python310-treq-22.1.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11806

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python310-treq-22.1.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python310-treq-22.1.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11806",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11806-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23607 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23607/"
      }
    ],
    "title": "python310-treq-22.1.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11806-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-treq-22.1.0-1.1.aarch64",
                "product": {
                  "name": "python310-treq-22.1.0-1.1.aarch64",
                  "product_id": "python310-treq-22.1.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-treq-22.1.0-1.1.aarch64",
                "product": {
                  "name": "python38-treq-22.1.0-1.1.aarch64",
                  "product_id": "python38-treq-22.1.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-treq-22.1.0-1.1.aarch64",
                "product": {
                  "name": "python39-treq-22.1.0-1.1.aarch64",
                  "product_id": "python39-treq-22.1.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-treq-22.1.0-1.1.ppc64le",
                "product": {
                  "name": "python310-treq-22.1.0-1.1.ppc64le",
                  "product_id": "python310-treq-22.1.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python38-treq-22.1.0-1.1.ppc64le",
                "product": {
                  "name": "python38-treq-22.1.0-1.1.ppc64le",
                  "product_id": "python38-treq-22.1.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python39-treq-22.1.0-1.1.ppc64le",
                "product": {
                  "name": "python39-treq-22.1.0-1.1.ppc64le",
                  "product_id": "python39-treq-22.1.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-treq-22.1.0-1.1.s390x",
                "product": {
                  "name": "python310-treq-22.1.0-1.1.s390x",
                  "product_id": "python310-treq-22.1.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python38-treq-22.1.0-1.1.s390x",
                "product": {
                  "name": "python38-treq-22.1.0-1.1.s390x",
                  "product_id": "python38-treq-22.1.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python39-treq-22.1.0-1.1.s390x",
                "product": {
                  "name": "python39-treq-22.1.0-1.1.s390x",
                  "product_id": "python39-treq-22.1.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-treq-22.1.0-1.1.x86_64",
                "product": {
                  "name": "python310-treq-22.1.0-1.1.x86_64",
                  "product_id": "python310-treq-22.1.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python38-treq-22.1.0-1.1.x86_64",
                "product": {
                  "name": "python38-treq-22.1.0-1.1.x86_64",
                  "product_id": "python38-treq-22.1.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-treq-22.1.0-1.1.x86_64",
                "product": {
                  "name": "python39-treq-22.1.0-1.1.x86_64",
                  "product_id": "python39-treq-22.1.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-treq-22.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.aarch64"
        },
        "product_reference": "python310-treq-22.1.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-treq-22.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.ppc64le"
        },
        "product_reference": "python310-treq-22.1.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-treq-22.1.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.s390x"
        },
        "product_reference": "python310-treq-22.1.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-treq-22.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.x86_64"
        },
        "product_reference": "python310-treq-22.1.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-treq-22.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.aarch64"
        },
        "product_reference": "python38-treq-22.1.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-treq-22.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.ppc64le"
        },
        "product_reference": "python38-treq-22.1.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-treq-22.1.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.s390x"
        },
        "product_reference": "python38-treq-22.1.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python38-treq-22.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.x86_64"
        },
        "product_reference": "python38-treq-22.1.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-treq-22.1.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.aarch64"
        },
        "product_reference": "python39-treq-22.1.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-treq-22.1.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.ppc64le"
        },
        "product_reference": "python39-treq-22.1.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-treq-22.1.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.s390x"
        },
        "product_reference": "python39-treq-22.1.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-treq-22.1.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.x86_64"
        },
        "product_reference": "python39-treq-22.1.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-23607",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23607"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.aarch64",
          "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.s390x",
          "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.x86_64",
          "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.aarch64",
          "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.s390x",
          "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.x86_64",
          "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.aarch64",
          "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.s390x",
          "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23607",
          "url": "https://www.suse.com/security/cve/CVE-2022-23607"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195432 for CVE-2022-23607",
          "url": "https://bugzilla.suse.com/1195432"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.x86_64",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.x86_64",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python310-treq-22.1.0-1.1.x86_64",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python38-treq-22.1.0-1.1.x86_64",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.aarch64",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.s390x",
            "openSUSE Tumbleweed:python39-treq-22.1.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23607"
    }
  ]
}

OPENSUSE-SU-2025:15106-1

Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00

Summary

python311-treq-24.9.1-1.4 on GA media

Notes

Title of the patch

python311-treq-24.9.1-1.4 on GA media

Description of the patch

These are all security issues fixed in the python311-treq-24.9.1-1.4 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15106

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-treq-24.9.1-1.4 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-treq-24.9.1-1.4 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15106",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15106-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15106-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RSHEP4XHC66ONG55FD2QGET2PJFLWIVT/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15106-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RSHEP4XHC66ONG55FD2QGET2PJFLWIVT/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23607 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23607/"
      }
    ],
    "title": "python311-treq-24.9.1-1.4 on GA media",
    "tracking": {
      "current_release_date": "2025-05-17T00:00:00Z",
      "generator": {
        "date": "2025-05-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15106-1",
      "initial_release_date": "2025-05-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-treq-24.9.1-1.4.aarch64",
                "product": {
                  "name": "python311-treq-24.9.1-1.4.aarch64",
                  "product_id": "python311-treq-24.9.1-1.4.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-treq-24.9.1-1.4.aarch64",
                "product": {
                  "name": "python312-treq-24.9.1-1.4.aarch64",
                  "product_id": "python312-treq-24.9.1-1.4.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-treq-24.9.1-1.4.aarch64",
                "product": {
                  "name": "python313-treq-24.9.1-1.4.aarch64",
                  "product_id": "python313-treq-24.9.1-1.4.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-treq-24.9.1-1.4.ppc64le",
                "product": {
                  "name": "python311-treq-24.9.1-1.4.ppc64le",
                  "product_id": "python311-treq-24.9.1-1.4.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-treq-24.9.1-1.4.ppc64le",
                "product": {
                  "name": "python312-treq-24.9.1-1.4.ppc64le",
                  "product_id": "python312-treq-24.9.1-1.4.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-treq-24.9.1-1.4.ppc64le",
                "product": {
                  "name": "python313-treq-24.9.1-1.4.ppc64le",
                  "product_id": "python313-treq-24.9.1-1.4.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-treq-24.9.1-1.4.s390x",
                "product": {
                  "name": "python311-treq-24.9.1-1.4.s390x",
                  "product_id": "python311-treq-24.9.1-1.4.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-treq-24.9.1-1.4.s390x",
                "product": {
                  "name": "python312-treq-24.9.1-1.4.s390x",
                  "product_id": "python312-treq-24.9.1-1.4.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-treq-24.9.1-1.4.s390x",
                "product": {
                  "name": "python313-treq-24.9.1-1.4.s390x",
                  "product_id": "python313-treq-24.9.1-1.4.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-treq-24.9.1-1.4.x86_64",
                "product": {
                  "name": "python311-treq-24.9.1-1.4.x86_64",
                  "product_id": "python311-treq-24.9.1-1.4.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-treq-24.9.1-1.4.x86_64",
                "product": {
                  "name": "python312-treq-24.9.1-1.4.x86_64",
                  "product_id": "python312-treq-24.9.1-1.4.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-treq-24.9.1-1.4.x86_64",
                "product": {
                  "name": "python313-treq-24.9.1-1.4.x86_64",
                  "product_id": "python313-treq-24.9.1-1.4.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-treq-24.9.1-1.4.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.aarch64"
        },
        "product_reference": "python311-treq-24.9.1-1.4.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-treq-24.9.1-1.4.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.ppc64le"
        },
        "product_reference": "python311-treq-24.9.1-1.4.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-treq-24.9.1-1.4.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.s390x"
        },
        "product_reference": "python311-treq-24.9.1-1.4.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-treq-24.9.1-1.4.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.x86_64"
        },
        "product_reference": "python311-treq-24.9.1-1.4.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-treq-24.9.1-1.4.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.aarch64"
        },
        "product_reference": "python312-treq-24.9.1-1.4.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-treq-24.9.1-1.4.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.ppc64le"
        },
        "product_reference": "python312-treq-24.9.1-1.4.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-treq-24.9.1-1.4.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.s390x"
        },
        "product_reference": "python312-treq-24.9.1-1.4.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-treq-24.9.1-1.4.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.x86_64"
        },
        "product_reference": "python312-treq-24.9.1-1.4.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-treq-24.9.1-1.4.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.aarch64"
        },
        "product_reference": "python313-treq-24.9.1-1.4.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-treq-24.9.1-1.4.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.ppc64le"
        },
        "product_reference": "python313-treq-24.9.1-1.4.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-treq-24.9.1-1.4.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.s390x"
        },
        "product_reference": "python313-treq-24.9.1-1.4.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-treq-24.9.1-1.4.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.x86_64"
        },
        "product_reference": "python313-treq-24.9.1-1.4.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-23607",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23607"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.aarch64",
          "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.ppc64le",
          "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.s390x",
          "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.x86_64",
          "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.aarch64",
          "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.ppc64le",
          "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.s390x",
          "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.x86_64",
          "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.aarch64",
          "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.ppc64le",
          "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.s390x",
          "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23607",
          "url": "https://www.suse.com/security/cve/CVE-2022-23607"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195432 for CVE-2022-23607",
          "url": "https://bugzilla.suse.com/1195432"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.x86_64",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.x86_64",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python311-treq-24.9.1-1.4.x86_64",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python312-treq-24.9.1-1.4.x86_64",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.aarch64",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.ppc64le",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.s390x",
            "openSUSE Tumbleweed:python313-treq-24.9.1-1.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-23607"
    }
  ]
}

PYSEC-2022-26

Vulnerability from pysec - Published: 2022-02-01 11:15 - Updated: 2022-02-08 17:32

Details

treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (treq.get, treq.post, etc.) and treq.client.HTTPClient constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session. Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it.

Impacted products

Name	purl
treq	pkg:pypi/treq

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "treq",
        "purl": "pkg:pypi/treq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.1.0"
            },
            {
              "fixed": "22.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "21.1.0",
        "21.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23607",
    "GHSA-fhpf-pp6p-55qc"
  ],
  "details": "treq is an HTTP library inspired by requests but written on top of Twisted\u0027s Agents. Treq\u0027s request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.",
  "id": "PYSEC-2022-26",
  "modified": "2022-02-08T17:32:07.420457Z",
  "published": "2022-02-01T11:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
    }
  ]
}

GHSA-FHPF-PP6P-55QC

Vulnerability from github – Published: 2022-02-01 00:43 – Updated: 2024-11-13 23:03

Summary

Unsafe handling of user-specified cookies in treq

Details

Impact

Treq's request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:

treq.get('https://example.com/', cookies={'session': '1234'})

Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.

Patches

Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter.

Workarounds

Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it:

from http.cookiejar import CookieJar
from requests.cookies import create_cookie

jar = CookieJar()
jar.add_cookie(
    create_cookie(
        name='session',
        value='1234',
        domain='example.com',
        secure=True,
    ),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')

References

Originally reported at huntr.dev
A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 (GHSA-92x2-jw7w-xvvx, CVE-2022-21712).

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "treq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-425",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-31T22:05:38Z",
    "nvd_published_at": "2022-02-01T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nTreq\u0027s request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary, for example:\n\n```py\ntreq.get(\u0027https://example.com/\u0027, cookies={\u0027session\u0027: \u00271234\u0027})\n```\n\nSuch cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.\n\n### Patches\n\nTreq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter.\n\n### Workarounds\n\nInstead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it:\n\n```py\nfrom http.cookiejar import CookieJar\nfrom requests.cookies import create_cookie\n\njar = CookieJar()\njar.add_cookie(\n    create_cookie(\n        name=\u0027session\u0027,\n        value=\u00271234\u0027,\n        domain=\u0027example.com\u0027,\n        secure=True,\n    ),\n)\nclient = HTTPClient(cookies=jar)\nclient.get(\u0027https://example.com/\u0027)\n```\n\n### References\n\n* Originally reported at [huntr.dev](https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39)\n* A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 ([GHSA-92x2-jw7w-xvvx](https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx), CVE-2022-21712).",
  "id": "GHSA-fhpf-pp6p-55qc",
  "modified": "2024-11-13T23:03:05Z",
  "published": "2022-02-01T00:43:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/treq/PYSEC-2022-26.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twisted/treq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/treq/releases/tag/release-22.1.0"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3c9204fc-a3d1-4441-8599-924c5f57e7ae/?token=06d930e37046c914bcb037e85cc227dc7b510b475989fc69837566562ba899277d46b0fb4b1e21cdcb6ddc1b7d9b1ded632cf3a3551ecb89afca16a63b34641284b50479d5195bba2ac09b116f3dd4fad27f54404c2de922c05c8c8b744aec27bb4d4d198cb8b3abf479af0c2d5fbaa10412da7922594ac3eb39"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unsafe handling of user-specified cookies in treq"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-23607 (GCVE-0-2022-23607)

FKIE_CVE-2022-23607

GSD-2022-23607

OPENSUSE-SU-2022:10098-1

OPENSUSE-SU-2024:11806-1

OPENSUSE-SU-2025:15106-1

PYSEC-2022-26

GHSA-FHPF-PP6P-55QC

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature