CVE-2022-39348

Опубликовано: 26 окт. 2022

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Ссылки

https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
Patch
https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4
Patch
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
Exploit
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/202301-02
Third Party Advisory
https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
Patch
https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4
Patch
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
Exploit
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html
https://security.gentoo.org/glsa/202301-02
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*

Версия от 0.9.4 (включая) до 22.10.0 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 78%

0.01178

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-39348

CVSS3: 5.4

ubuntu

около 3 лет назад

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

CVE-2022-39348

CVSS3: 5.4

redhat

около 3 лет назад

CVE-2022-39348

CVSS3: 5.4

msrc

около 3 лет назад

Twisted vulnerable to NameVirtualHost Host header injection

CVE-2022-39348

CVSS3: 5.4

debian

около 3 лет назад

Twisted is an event-based framework for internet applications. Started ...

SUSE-SU-2022:4057-1

suse-cvrf

около 3 лет назад

Security update for python-Twisted

EPSS

Процентиль: 78%

0.01178

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79