CVE-2022-21712
published 2022-02-07CVE-2022-21712: twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.42%
69.5th percentile
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | twisted | < twisted 22.1.0-1 (bookworm) | twisted 22.1.0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_python-twisted_22.2.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_python-twisted_20.3.0-2_on_cbl_mariner_1.0 | — | — |
| twisted | treq | >= 0 < 22.1.0 | 22.1.0 |
| twisted | twisted | — | — |
| twisted | twisted | >= 0 < 20.3.0-7+deb11u1 | 20.3.0-7+deb11u1 |
| twisted | twisted | >= 0 < 22.1.0-1 | 22.1.0-1 |
| twisted | twisted | >= 0 < 22.1.0-1 | 22.1.0-1 |
| twisted | twisted | >= 0 < 22.1.0-1 | 22.1.0-1 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.3 | 17.9.0-2ubuntu0.3 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.2 | 18.9.0-11ubuntu0.20.04.2 |
| twisted | twisted | >= 11.1.0 < 22.1.0 | 22.1.0 |
| twisted | twisted | >= 11.1.0 < 22.1.0 | 22.1.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2022-03-30·CVSS 7.5
CVE-2022-21712 [HIGH] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
It was discovered that Twisted incorrectly filtered HTTP headers when clients
are being redirected to another origin. A remote attacker could use this issue
to obtain sensitive information. (CVE-2022-21712)
It was discovered that Twisted incorrectly processed SSH handshake data on
connection establishments. A remote attacker could use this issue to cause
Twisted to crash, resulting in a denial of service. (CVE-2022-21716)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Cookie and header exposure in twisted
vendor_msrc·2022-02-08·CVSS 7.5
CVE-2022-21712 [HIGH] CWE-200 Cookie and header exposure in twisted
Cookie and header exposure in twisted
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.c
Red Hat
dev-python/twisted: secret exposure in cross-origin redirects
vendor_redhat·2022-02-08·CVSS 7.5
CVE-2022-21712 [HIGH] CWE-346 dev-python/twisted: secret exposure in cross-origin redirects
dev-python/twisted: secret exposure in cross-origin redirects
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
A flaw was found in the twisted Python library when WebClient redirects via the RedirectAgent and BrowserLikeRedirectAgent methods. This flaw allows an attacker to take advantage of these cross-origin redirects and leak the cookie and authorization headers.
Package: twisted[tls] (Red Hat Ansible Automation Platform 1.2) - Affected
Package: twisted[tls] (Red Hat Ansible Automation Plat
Debian
CVE-2022-21712: twisted - twisted is an event-driven networking engine written in Python. In affected vers...
vendor_debian·2022·CVSS 7.5
CVE-2022-21712 [HIGH] CVE-2022-21712: twisted - twisted is an event-driven networking engine written in Python. In affected vers...
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
Scope: local
bookworm: resolved (fixed in 22.1.0-1)
bullseye: resolved (fixed in 20.3.0-7+deb11u1)
forky: resolved (fixed in 22.1.0-1)
sid: resolved (fixed in 22.1.0-1)
trixie: resolved (fixed in 22.1.0-1)
OSV
twisted vulnerabilities
osv·2022-03-30·CVSS 7.5
CVE-2022-21712 [HIGH] twisted vulnerabilities
twisted vulnerabilities
It was discovered that Twisted incorrectly filtered HTTP headers when clients
are being redirected to another origin. A remote attacker could use this issue
to obtain sensitive information. (CVE-2022-21712)
It was discovered that Twisted incorrectly processed SSH handshake data on
connection establishments. A remote attacker could use this issue to cause
Twisted to crash, resulting in a denial of service. (CVE-2022-21716)
GHSA
Cookie and header exposure in twisted
ghsa·2022-02-07
CVE-2022-21712 [HIGH] CWE-200 Cookie and header exposure in twisted
Cookie and header exposure in twisted
### Impact
Cookie and Authorization headers are leaked when following cross-origin redirects in `twited.web.client.RedirectAgent` and `twisted.web.client.BrowserLikeRedirectAgent`.
OSV
CVE-2022-21712: twisted is an event-driven networking engine written in Python
osv·2022-02-07·CVSS 7.5
CVE-2022-21712 [HIGH] CVE-2022-21712: twisted is an event-driven networking engine written in Python
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
OSV
Cookie and header exposure in twisted
osv·2022-02-07
CVE-2022-21712 [HIGH] Cookie and header exposure in twisted
Cookie and header exposure in twisted
### Impact
Cookie and Authorization headers are leaked when following cross-origin redirects in `twited.web.client.RedirectAgent` and `twisted.web.client.BrowserLikeRedirectAgent`.
OSV
Unsafe handling of user-specified cookies in treq
osv·2022-02-01·CVSS 7.5
CVE-2022-23607 [HIGH] Unsafe handling of user-specified cookies in treq
Unsafe handling of user-specified cookies in treq
### Impact
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary, for example:
```py
treq.get('https://example.com/', cookies={'session': '1234'})
```
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
### Patches
Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter.
GHSA
Unsafe handling of user-specified cookies in treq
ghsa·2022-02-01·CVSS 7.5
CVE-2022-23607 [HIGH] CWE-200 Unsafe handling of user-specified cookies in treq
Unsafe handling of user-specified cookies in treq
### Impact
Treq's request methods (`treq.get`, `treq.post`, `HTTPClient.request`, `HTTPClient.get`, etc.) accept cookies as a dictionary, for example:
```py
treq.get('https://example.com/', cookies={'session': '1234'})
```
Such cookies are not bound to a single domain, and are therefore sent to *every* domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should `https://example.com` redirect to `http://cloudstorageprovider.com` the latter will receive the cookie `session`.
### Patches
Treq 2021.1.0 and later bind cookies given to request methods (`treq.request`, `treq.get`, `HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url* parameter.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2https://github.com/twisted/twisted/releases/tag/twisted-22.1.0https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvxhttps://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2https://github.com/twisted/twisted/releases/tag/twisted-22.1.0https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvxhttps://lists.debian.org/debian-lts-announce/2022/02/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/https://security.gentoo.org/glsa/202301-02
2022-02-07
Published