CVE-2022-39348

2022-10-2600:00:00

ubuntu.com

twisted framework

html injection

host header

security issue

fixed version

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

52.1%

JSON

Twisted is an event-based framework for internet applications. Started with
version 0.9.4, when the host header does not match a configured host
twisted.web.vhost.NameVirtualHost will return a NoResource resource
which renders the Host header unescaped into the 404 response allowing HTML
and script injection. In practice this should be very difficult to exploit
as being able to modify the Host header of a normal HTTP request implies
that one is already in a privileged position. This issue was fixed in
version 22.10.0rc1. There are no known workarounds.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023359>

Notes

Author	Note
mdeslaur	introduced by: https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchtwisted< anyUNKNOWN
ubuntu20.04noarchtwisted< 18.9.0-11ubuntu0.20.04.3UNKNOWN
ubuntu22.04noarchtwisted< 22.1.0-2ubuntu2.4UNKNOWN
ubuntu14.04noarchtwisted< anyUNKNOWN
ubuntu16.04noarchtwisted< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	twisted	< any	UNKNOWN
ubuntu	20.04	noarch	twisted	< 18.9.0-11ubuntu0.20.04.3	UNKNOWN
ubuntu	22.04	noarch	twisted	< 22.1.0-2ubuntu2.4	UNKNOWN
ubuntu	14.04	noarch	twisted	< any	UNKNOWN
ubuntu	16.04	noarch	twisted	< any	UNKNOWN