Bug 2139431 (CVE-2022-39348)
| Summary: | CVE-2022-39348 python-twisted: NameVirtualHost Host header injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | ybuenos |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | adudiak, aoconnor, bbuckingham, bcoca, bcourt, bniver, eglynn, ehelms, epacific, flucifre, gmeno, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, jsherril, kshier, lhh, lmadsen, lzap, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, mmccune, mrunge, nmoumoul, orabin, pcreech, python-maint, rchan, rhos-maint, simaishi, slinaber, smcdonal, sostapov, spower, stcannon, teagle, tfister, tvignaud, vereddy, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-twisted 22.10.0 | Doc Type: | --- |
| Doc Text: |
A host header injection flaw was found in the twisted event-based framework's web module. When the host header does not match a configured host, the web module will render unescaped characters into the 404 response. This can result in HTML and script injection. For this vulnerability to be exploited, the attacker needs to be in a privileged position.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2143620, 2143621, 2139627, 2139628, 2139629, 2139630 | ||
| Bug Blocks: | 2138869 | ||
|
Description
ybuenos
2022-11-02 13:57:25 UTC
|