6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23607

GHSA ID

GHSA-fhpf-pp6p-55qc

EPSS Score

0.4152%

CWE

CWE-200

Published

2/1/2022

Updated

11/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23607

CVE-2022-23607: Unsafe handling of user-specified cookies in treq

Impact

Treq's request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary, for example:

treq.get('https://example.com/', cookies={'session': '1234'})

Such cookies are not bound to a single domain, and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.

Patches

Treq 2021.1.0 and later bind cookies given to request methods (treq.request, treq.get, HTTPClient.request, HTTPClient.get, etc.) to the origin of the url parameter.

Workarounds

Instead of passing a dictionary as the cookies argument, pass a http.cookiejar.CookieJar instance with properly domain- and scheme-scoped cookies in it:

from http.cookiejar import CookieJar
from requests.cookies import create_cookie

jar = CookieJar()
jar.add_cookie(
    create_cookie(
        name='session',
        value='1234',
        domain='example.com',
        secure=True,
    ),
)
client = HTTPClient(cookies=jar)
client.get('https://example.com/')

References

Originally reported at huntr.dev
A related issue in the handling of HTTP basic authentication was addressed in Twisted 22.1 (GHSA-92x2-jw7w-xvvx, CVE-2022-21712).

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23607

GHSA ID

GHSA-fhpf-pp6p-55qc

EPSS Score

0.4152%

CWE

CWE-200

Published

2/1/2022

Updated

11/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
treq	pip	< 22.1.0	22.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from request methods (treq.get, treq.post, HTTPClient.request) accepting cookie dictionaries without domain binding. The commit diff shows cookies were previously converted via cookiejar_from_dict (domain-agnostic), replaced with _scoped_cookiejar_from_dict to enforce domain binding. All methods funnel through HTTPClient.request, making it the core vulnerable function. The public treq.get/post methods inherit this vulnerability as they delegate to HTTPClient.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Tr*q's r*qu*st m*t*o*s (`tr*q.**t`, `tr*q.post`, `*TTP*li*nt.r*qu*st`, `*TTP*li*nt.**t`, *t*.) ****pt *ooki*s *s * *i*tion*ry, *or *x*mpl*: ```py tr*q.**t('*ttps://*x*mpl*.*om/', *ooki*s={'s*ssion': '****'}) ``` Su** *ooki*s *r* not *ou

Reasoning

T** vuln*r**ility st*mm** *rom r*qu*st m*t*o*s (tr*q.**t, tr*q.post, *TTP*li*nt.r*qu*st) ****ptin* *ooki* *i*tion*ri*s wit*out *om*in *in*in*. T** *ommit *i** s*ows *ooki*s w*r* pr*viously *onv*rt** vi* *ooki*j*r_*rom_*i*t (*om*in-**nosti*), r*pl****

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-23607: Unsafe handling of user-specified cookies in treq

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI