CVE-2022-39348

Twisted vulnerable to NameVirtualHost Host header injection

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Twisted es un framework basado en eventos para aplicaciones de Internet. Comenzó con la versión 0.9.4, cuando el encabezado del host no coincide con un host configurado "twisted.web.vhost.NameVirtualHost" devolverá un recurso "NoResource" que hace que el encabezado del Host no sea escondido en la respuesta 404 permitiendo la inyección de HTML y scripts. En la práctica esto debería ser muy difícil de explotar ya que ser capaz de modificar el encabezado Host de una petición HTTP normal implica que uno ya está en una posición privilegiada. Este problema ha sido corregido en versión 22.10.0rc1. No se presenta mitigaciones conocidas

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-26 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-11-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CAPEC

References (5)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html	Mailing List

URL	Date	SRC
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647	2024-08-03

URL	Date	SRC
https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b	2023-03-08
https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4	2023-03-08

URL	Date	SRC
https://security.gentoo.org/glsa/202301-02	2023-03-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Twistedmatrix Search vendor "Twistedmatrix"		Twisted Search vendor "Twistedmatrix" for product "Twisted"				>= 0.9.4 < 22.10.0 Search vendor "Twistedmatrix" for product "Twisted" and version " >= 0.9.4 < 22.10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected