CVE-2022-39348

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39348.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39348

Aliases

GHSA-vg46-2rrj-3647

Related

Published

2022-10-26T20:15:10Z

Modified

2024-09-11T05:41:08.992494Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

References

Affected packages

Debian:11 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.0-7

20.3.0-7+deb11u1

22.*

22.1.0-1

22.1.0-2

22.2.0-1

22.4.0-1

22.4.0-2

22.4.0-3

22.4.0-4

23.*

23.10.0-1

23.10.0-2

24.*

24.3.0-1

24.3.0-2

24.3.0-3

24.7.0-1

24.7.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.4.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.4.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/twisted/twisted

Affected ranges

Type: GIT
Repo: https://github.com/twisted/twisted
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f2f5e81c03f14e253e85fe457e646130780db40b

Fixed

f49041bb67792506d85aeda9cf6157e92f8048f4

Affected versions

Other

before-black

twisted-16.*

twisted-16.2.0

twisted-16.3.0

twisted-16.4.0

twisted-16.4.1

twisted-16.5.0

twisted-16.6.0

twisted-17.*

twisted-17.1.0

twisted-17.5.0

twisted-17.9.0

twisted-18.*

twisted-18.4.0

twisted-18.7.0

twisted-18.9.0

twisted-19.*

twisted-19.2.0

twisted-19.7.0

twisted-20.*

twisted-20.11.0.dev6

twisted-21.*

twisted-21.2.0

twisted-21.2.0rc1

twisted-21.7.0

twisted-21.7.0rc1

twisted-21.7.0rc2

twisted-21.7.0rc3

twisted-22.*

twisted-22.1.0

twisted-22.1.0rc1

twisted-22.2.0

twisted-22.2.0rc1

twisted-22.4.0

twisted-22.4.0rc1

twisted-22.8.0

twisted-22.8.0rc1