CVE-2022-39348 : Twisted is an event-based framework for internet applications. Started with vers

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Published 2022-10-26 20:15:11

Updated 2024-11-25 18:12:25

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-39348

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Twisted » Twisted
Versions from including (>=) 0.9.4 and before (<) 22.10.0
cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39348

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39348

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-39348

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Secondary)
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-39348

https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b

Merge pull request from GHSA-vg46-2rrj-3647 · twisted/twisted@f2f5e81 · GitHub
Patch
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

NameVirtualHost Host header injection. · Advisory · twisted/twisted · GitHub
Exploit;Patch;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html

[SECURITY] [DLA 3212-1] twisted security update
Mailing List;Third Party Advisory
https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4

vhost bugfix... · twisted/twisted@f49041b · GitHub
Patch
https://security.gentoo.org/glsa/202301-02

Twisted: Multiple Vulnerabilities (GLSA 202301-02) — Gentoo security
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-39348

Products affected by CVE-2022-39348

Exploit prediction scoring system (EPSS) score for CVE-2022-39348

CVSS scores for CVE-2022-39348

CWE ids for CVE-2022-39348

References for CVE-2022-39348