CVE-2022-39348 – twisted

Package

Manager: pip
Name: twisted
Vulnerable Version: >=0.9.4 <22.10.0rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00454 pctl0.62926

Details

Twisted vulnerable to NameVirtualHost Host header injection When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. Example configuration: ```python from twisted.web.server import Site from twisted.web.vhost import NameVirtualHost from twisted.internet import reactor resource = NameVirtualHost() site = Site(resource) reactor.listenTCP(8080, site) reactor.run() ``` Output: ``` ❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/ <html> <head><title>404 - No Such Resource</title></head> <body> <h1>No Such Resource</h1> <p>host b'<h1>hello there</h1>' not in vhost map</p> </body> </html> ``` This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.

Metadata

Created: 2022-10-26T22:08:39Z
Modified: 2024-11-25T19:26:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-vg46-2rrj-3647/GHSA-vg46-2rrj-3647.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-vg46-2rrj-3647
Finding: F425
Auto approve: 1