2051865 – (CVE-2022-21712) CVE-2022-21712 dev-python/twisted: secret exposure in cross-origin redirects

Bug 2051865 (CVE-2022-21712) - CVE-2022-21712 dev-python/twisted: secret exposure in cross-origin redirects

Summary: CVE-2022-21712 dev-python/twisted: secret exposure in cross-origin redirects

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-21712
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2059507 2060280 2060281 2053744 2053745 2053746 2056105 2059508 2066919
Blocks:	2051861
TreeView+	depends on / blocked

Reported:	2022-02-08 08:45 UTC by Vipul Nair
Modified:	2022-09-23 20:05 UTC (History)
CC List:	57 users (show)
Fixed In Version:	twisted 22.1
Clone Of:
Environment:
Last Closed:	2022-03-24 14:01:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0982	0	None	None	None	2022-03-24 11:04:10 UTC
Red Hat Product Errata	RHSA-2022:0992	0	None	None	None	2022-03-23 22:29:25 UTC

Description Vipul Nair 2022-02-08 08:45:12 UTC

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.

https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx

Comment 4 Avinash Hanwate 2022-03-01 08:48:58 UTC

Created python-twisted tracking bugs for this issue:

Affects: epel-all [bug 2059507]
Affects: fedora-all [bug 2059508]

Comment 8 errata-xmlrpc 2022-03-23 22:29:21 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0992 https://access.redhat.com/errata/RHSA-2022:0992

Comment 9 errata-xmlrpc 2022-03-24 11:04:05 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0982 https://access.redhat.com/errata/RHSA-2022:0982

Comment 10 Product Security DevOps Team 2022-03-24 14:01:54 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21712

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anharris
bbuckingham
bcoca
bcourt
bniver
btotty
chousekn
cmeyers
davidn
dbecker
eclipseo
ehelms
flucifre
gblomqui
gmeno
hvyas
jcammara
jhardy
jjoyce
jobarker
jschluet
jsherril
lhh
lmadsen
lpeer
lzap
mabashia
mbenjamin
mburns
mgarciac
mhackett
mhroncok
mhulan
mmccune
mrunge
myarboro
nmoumoul
notting
orabin
osapryki
pcreech
python-maint
python-sig
rchan
relrod
rhos-maint
rpetrell
sclewis
sdoran
slinaber
smcdonal
sostapov
tkuratom
tvignaud
V02460
vereddy