CVE-2022-39348
published 2022-10-26CVE-2022-39348: Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.16%
63.1th percentile
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | twisted | < twisted 22.4.0-4 (bookworm) | twisted 22.4.0-4 (bookworm) |
| msrc | cbl2_python-twisted_22.10.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_python-twisted_20.3.0-4_on_cbl_mariner_1.0 | — | — |
| twisted | twisted | — | — |
| twisted | twisted | >= 0 < 20.3.0-7+deb11u2 | 20.3.0-7+deb11u2 |
| twisted | twisted | >= 0 < 22.4.0-4 | 22.4.0-4 |
| twisted | twisted | >= 0 < 22.4.0-4 | 22.4.0-4 |
| twisted | twisted | >= 0 < 22.4.0-4 | 22.4.0-4 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.3 | 18.9.0-11ubuntu0.20.04.3 |
| twisted | twisted | >= 0 < 22.1.0-2ubuntu2.4 | 22.1.0-2ubuntu2.4 |
| twisted | twisted | >= 0.9.4 < 22.10.0 | 22.10.0 |
| twisted | twisted | >= 0.9.4 < 22.10.0rc1 | 22.10.0rc1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_msrc5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2024-01-10·CVSS 5.4
CVE-2022-39348 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
It was discovered that Twisted incorrectly escaped host headers in certain
404 responses. A remote attacker could possibly use this issue to perform
HTML and script injection attacks. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2022-39348)
It was discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay responses and manipulate the responses of second
requests. (CVE-2023-46137)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-twisted: NameVirtualHost Host header injection
vendor_redhat·2022-10-26·CVSS 5.4
CVE-2022-39348 [MEDIUM] CWE-79 python-twisted: NameVirtualHost Host header injection
python-twisted: NameVirtualHost Host header injection
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
A host header injection flaw was found in the twisted event-based framework's web module. When the host header does not match a configured host, the web module will render unescaped
Microsoft
Twisted vulnerable to NameVirtualHost Host header injection
vendor_msrc·2022-10-11·CVSS 5.4
CVE-2022-39348 [MEDIUM] CWE-80 Twisted vulnerable to NameVirtualHost Host header injection
Twisted vulnerable to NameVirtualHost Host header injection
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: htt
Debian
CVE-2022-39348: twisted - Twisted is an event-based framework for internet applications. Started with vers...
vendor_debian·2022·CVSS 5.4
CVE-2022-39348 [MEDIUM] CVE-2022-39348: twisted - Twisted is an event-based framework for internet applications. Started with vers...
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
Scope: local
bookworm: resolved (fixed in 22.4.0-4)
bullseye: resolved (fixed in 20.3.0-7+deb11u2)
forky: resolved (fixed in 22.4.0-4)
sid: resolved (fixed in 22.4.0-4)
trixie: resolved (fixed in 22.4.0-4)
OSV
twisted vulnerabilities
osv·2024-01-10·CVSS 5.4
CVE-2022-39348 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
It was discovered that Twisted incorrectly escaped host headers in certain
404 responses. A remote attacker could possibly use this issue to perform
HTML and script injection attacks. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2022-39348)
It was discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay responses and manipulate the responses of second
requests. (CVE-2023-46137)
OSV
CVE-2022-39348: Twisted is an event-based framework for internet applications
osv·2022-10-26·CVSS 5.4
CVE-2022-39348 [MEDIUM] CVE-2022-39348: Twisted is an event-based framework for internet applications
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
GHSA
Twisted vulnerable to NameVirtualHost Host header injection
ghsa·2022-10-26
CVE-2022-39348 [MEDIUM] CWE-79 Twisted vulnerable to NameVirtualHost Host header injection
Twisted vulnerable to NameVirtualHost Host header injection
When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
```python
from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor
resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()
```
Output:
```
❯ curl -H"Host:HELLO THERE" http://localhost:8080/
404 - No Such Resource
No Such Resource
host b'hello there' not in vhost map
```
This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 r
OSV
Twisted vulnerable to NameVirtualHost Host header injection
osv·2022-10-26
CVE-2022-39348 [MEDIUM] Twisted vulnerable to NameVirtualHost Host header injection
Twisted vulnerable to NameVirtualHost Host header injection
When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
```python
from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor
resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()
```
Output:
```
❯ curl -H"Host:HELLO THERE" http://localhost:8080/
404 - No Such Resource
No Such Resource
host b'hello there' not in vhost map
```
This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 r
No detection rules found.
No public exploits indexed.
https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40bhttps://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647https://lists.debian.org/debian-lts-announce/2022/11/msg00038.htmlhttps://security.gentoo.org/glsa/202301-02https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40bhttps://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647https://lists.debian.org/debian-lts-announce/2022/11/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2024/11/msg00028.htmlhttps://security.gentoo.org/glsa/202301-02
2022-10-26
Published