CVE-2022-39348

NameCVE-2022-39348
DescriptionTwisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3212-1, ELA-896-1
Debian Bugs1023359

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
twisted (PTS)jessie, jessie (lts)14.0.2-3+deb8u6fixed
stretch (security)16.6.0-2+deb9u3vulnerable
stretch (lts), stretch16.6.0-2+deb9u4fixed
buster (security), buster, buster (lts)18.9.0-3+deb10u2fixed
bullseye20.3.0-7+deb11u1vulnerable
bookworm (security), bookworm22.4.0-4+deb12u1fixed
trixie24.7.0-3fixed
sid24.10.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
twistedsourcejessie14.0.2-3+deb8u6ELA-896-1
twistedsourcestretch16.6.0-2+deb9u4ELA-896-1
twistedsourcebuster18.9.0-3+deb10u2DLA-3212-1
twistedsource(unstable)22.4.0-41023359

Notes

[bullseye] - twisted <no-dsa> (Minor issue)
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
Introduced by: https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4
Fixed by: https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b (twisted-22.10.0rc1)
Search for package or bug name: Reporting problems