Lucene search

GitHub_MCVE-2022-39348

HistoryOct 26, 2022 - 8:15 p.m.

CVE-2022-39348

2022-10-2620:15:10

CWE-80

CWE-79

GitHub_M

web.nvd.nist.gov

192

twisted

cve-2022-39348

event-based framework

internet applications

security vulnerability

html injection

script injection

nvd

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.002

Percentile

52.1%

JSON

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Affected configurations

Nvd

Vulners

Node

twistedmatrixtwistedRange0.9.4–22.10.0

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
twistedmatrixtwisted*cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
twistedmatrix	twisted	*	cpe:2.3:a:twistedmatrix:twisted::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*

CNA Affected

[
  {
    "vendor": "twisted",
    "product": "twisted",
    "versions": [
      {
        "version": ">= 0.9.4, < 22.10.0rc1",
        "status": "affected"
      }
    ]
  }
]