CVE-2022-21712
Cookie and header exposure in twisted
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.
twisted es un motor de red basado en eventos escrito en Python. En las versiones afectadas, twisted expone las cookies y los encabezados de autorización cuando sigue redireccionamientos de origen cruzado. Este problema está presente en "twited.web.RedirectAgent" y "twisted.web. BrowserLikeRedirectAgent". Es recomendado a usuarios que actualicen. No hay medidas de mitigación adicionales conocidas
A flaw was found in the twisted Python library when WebClient redirects via the RedirectAgent and BrowserLikeRedirectAgent methods. This flaw allows an attacker to take advantage of these cross-origin redirects and leak the cookie and authorization headers.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-02-07 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-346: Origin Validation Error
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0 | Release Notes | |
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Twistedmatrix Search vendor "Twistedmatrix" | Twisted Search vendor "Twistedmatrix" for product "Twisted" | >= 11.1.0 < 22.1.0 Search vendor "Twistedmatrix" for product "Twisted" and version " >= 11.1.0 < 22.1.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
|