CVE-2018-20852

Name of the Vulnerable Software and Affected Versions Python versions 2.x through 2.7.16 Python versions 3.x before 3.4.10 Python versions 3.5.x before 3.5.7 Python versions 3.6.x before 3.6.9 Python versions 3.7.x before 3.7.3

Description The issue is related to the incorrect domain validation in the http.cookiejar.DefaultPolicy.domain return ok() function of the Python interpreter. This can be exploited by a remote attacker to gain unauthorized access to protected information. The vulnerability can be abused by using a server with a hostname that has another valid hostname as a suffix, allowing existing cookies to be leaked to the attacker.

Recommendations For Python versions 2.x through 2.7.16, update to a version after 2.7.16 or apply a patch if available. For Python versions 3.x before 3.4.10, update to a version after 3.4.10 or apply a patch if available. For Python versions 3.5.x before 3.5.7, update to a version after 3.5.7 or apply a patch if available. For Python versions 3.6.x before 3.6.9, update to a version after 3.6.9 or apply a patch if available. For Python versions 3.7.x before 3.7.3, update to a version after 3.7.3 or apply a patch if available. As a temporary workaround, consider restricting access to the http.cookiejar.DefaultPolicy.domain return ok() function until a patch is available.