Описание
Security update for python-Twisted
This update for python-Twisted fixes the following issues:
- CVE-2022-39348: Fixed NameVirtualHost Host header injection (bsc#1204781).
Список пакетов
HPE Helion OpenStack 8
SUSE Linux Enterprise Module for Web and Scripting 12
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2022:4074-1
- E-Mail link for SUSE-SU-2022:4074-1
- SUSE Security Ratings
- SUSE Bug 1204781
- SUSE CVE CVE-2019-12387 page
- SUSE CVE CVE-2020-10108 page
- SUSE CVE CVE-2022-21712 page
- SUSE CVE CVE-2022-39348 page
Описание
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
Затронутые продукты
Ссылки
- CVE-2019-12387
- SUSE Bug 1137825
Описание
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
Затронутые продукты
Ссылки
- CVE-2020-10108
- SUSE Bug 1166457
Описание
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
Затронутые продукты
Ссылки
- CVE-2022-21712
- SUSE Bug 1195667
Описание
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
Затронутые продукты
Ссылки
- CVE-2022-39348
- SUSE Bug 1204781