CVE-2022-21712

CWE-200 — Information Exposure CWE-34610 documents8 sources

Severity

7.5HIGH

EPSS

0.2%

top 52.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Twisted Twisted Debian Debian Linux Fedoraproject Fedora

Timeline

PublishedFeb 7

Latest updateMar 30

Description

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶PyPITwisted11.1.0 — 22.1.0

▶PyPItwisted11.1.0 — 22.1.0

▶NVDtwisted/twisted11.1.0 — 22.1.0

▶Debiantwisted< 20.3.0-7+deb11u1+3

▶Ubuntutwisted< 17.9.0-2ubuntu0.3+1

Also affects: Debian Linux 9.0, Fedora 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

twisted vulnerabilities↗2022-03-30

▶

GHSA

Cookie and header exposure in twisted↗2022-02-07

▶

OSV

CVE-2022-21712: twisted is an event-driven networking engine written in Python↗2022-02-07

▶

CVEList

Cookie and header exposure in twisted↗2022-02-07

▶

OSV

Cookie and header exposure in twisted↗2022-02-07

▶

📋Vendor Advisories

Ubuntu

Twisted vulnerabilities↗2022-03-30

▶

Microsoft

Cookie and header exposure in twisted↗2022-02-08

▶

Red Hat

dev-python/twisted: secret exposure in cross-origin redirects↗2022-02-08

▶

Debian

CVE-2022-21712: twisted - twisted is an event-driven networking engine written in Python. In affected vers...↗2022

▶