GMS-2022-230: Cookie-setting is not restricted based on the public suffix list

March 1, 2022 (updated March 2, 2022)

Responses from domain names whose public domain name suffix contains 1 or more periods (e.g. responses from example.co.uk, given its public domain name suffix is co.uk) are able to set cookies that are included in requests to any other domain sharing the same domain name suffix.

References

github.com/advisories/GHSA-mfjm-vh54-3f96
github.com/scrapy/scrapy/commit/e865c4430e58a4faa0e0766b23830f8423d6167a
github.com/scrapy/scrapy/security/advisories/GHSA-mfjm-vh54-3f96

Code Behaviors & Features

Detect and mitigate GMS-2022-230 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →