CVE-2022-23607

Name of the Vulnerable Software and Affected Versions treq versions prior to 2021.1.0

Description The treq library's request methods (treq.get, treq.post, etc.) and treq.client.HTTPClient constructor accept cookies as a dictionary. These cookies are not bound to a single domain and are sent to every domain, potentially causing sensitive information to leak upon an HTTP redirect to a different domain. For example, if https://example.com redirects to http://cloudstorageprovider.com, the latter will receive the session cookie.

Recommendations For versions prior to 2021.1.0, instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it. Upgrade to treq version 2021.1.0 or later, which binds cookies given to request methods to the origin of the url parameter.