{"id":"UBUNTU-CVE-2022-23607","details":"treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and `treq.client.HTTPClient` constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to *every* domain (\"supercookies\"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised to upgrade. For users unable to upgrade Instead of passing a dictionary as the *cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly domain- and scheme-scoped cookies in it.","modified":"2026-05-20T16:07:48.279368241Z","published":"2022-02-01T11:15:00Z","upstream":["CVE-2022-23607"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-23607"},{"type":"REPORT","url":"https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc"},{"type":"REPORT","url":"https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2022-23607"}],"affected":[{"package":{"name":"python-treq","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["15.1.0-1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-treq","binary_version":"15.1.0-1"},{"binary_version":"15.1.0-1","binary_name":"python3-treq"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}},{"package":{"name":"python-treq","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["18.6.0-0.1","18.6.0-0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"18.6.0-0.2","binary_name":"python3-treq"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}},{"package":{"name":"python-treq","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["18.6.0-0.2","22.2.0-0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"22.2.0-0.1","binary_name":"python3-treq"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}},{"package":{"name":"python-treq","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["22.2.0-0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"22.2.0-0.1","binary_name":"python3-treq"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}},{"package":{"name":"python-treq","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["24.9.1-1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-treq","binary_version":"24.9.1-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}},{"package":{"name":"python-treq","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/python-treq?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["24.9.1-1","25.5.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"25.5.0-1","binary_name":"python3-treq"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23607.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}