CVE-2022-39348

Exploit

EPSS 0.45%
Published 26.10.2022 20:15:10
Last modified 25.11.2024 18:12:24
Source security-advisories@github.com
Teams watchlist Login
Open Login

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Affected products Warnungen 0 Metrics 3 CWE 2 References 8

Data is provided by the National Vulnerability Database (NVD)

Twisted ≫ Twisted Version >= 0.9.4 < 22.10.0

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.45%	0.629

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://security.gentoo.org/glsa/202301-02

Third Party Advisory

https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b

Patch

https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4

Patch

https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Patch

Third Party Advisory

Exploit

https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-39348

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39348

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39348

EUVD