cbcvebase.
CVE-2022-39348
published 2022-10-26

CVE-2022-39348: Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host…

PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.16%
63.1th percentile
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiantwisted< twisted 22.4.0-4 (bookworm)twisted 22.4.0-4 (bookworm)
msrccbl2_python-twisted_22.10.0-2_on_cbl_mariner_2.0
msrccm1_python-twisted_20.3.0-4_on_cbl_mariner_1.0
twistedtwisted
twistedtwisted>= 0 < 20.3.0-7+deb11u220.3.0-7+deb11u2
twistedtwisted>= 0 < 22.4.0-422.4.0-4
twistedtwisted>= 0 < 22.4.0-422.4.0-4
twistedtwisted>= 0 < 22.4.0-422.4.0-4
twistedtwisted>= 0 < 18.9.0-11ubuntu0.20.04.318.9.0-11ubuntu0.20.04.3
twistedtwisted>= 0 < 22.1.0-2ubuntu2.422.1.0-2ubuntu2.4
twistedtwisted>= 0.9.4 < 22.10.022.10.0
twistedtwisted>= 0.9.4 < 22.10.0rc122.10.0rc1

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_msrc5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.