CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
73.2%
The Twisted SSH client and server implementation naively accepted an infinite amount of data for the peer’s SSH version identifier.
A malicious peer can trivially craft a request that uses all available memory and crash the server, resulting in denial of service. The attack is as simple as nc -rv localhost 22 < /dev/zero
.
The issue was fix in GitHub commit https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
A fix is available in Twisted 22.2.0.
Reported at https://twistedmatrix.com/trac/ticket/10284
Discussions at https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
Found by vin01
github.com/advisories/GHSA-rv6r-3f5q-9rgx
github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
github.com/twisted/twisted/releases/tag/twisted-22.2.0
github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
lists.debian.org/debian-lts-announce/2022/03/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
lists.fedoraproject.org/archives/list/[email protected]/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
nvd.nist.gov/vuln/detail/CVE-2022-21716
security.gentoo.org/glsa/202301-02
twistedmatrix.com/trac/ticket/10284
www.oracle.com/security-alerts/cpuapr2022.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
73.2%