Bug 2139431 (CVE-2022-39348) - CVE-2022-39348 python-twisted: NameVirtualHost Host header injection
Summary: CVE-2022-39348 python-twisted: NameVirtualHost Host header injection
Status: NEW
Alias: CVE-2022-39348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2143620 2143621 2139627 2139628 2139629 2139630
Blocks: 2138869
TreeView+ depends on / blocked
Reported: 2022-11-02 13:57 UTC by ybuenos
Modified: 2023-07-07 08:34 UTC (History)
50 users (show)

Fixed In Version: python-twisted 22.10.0
Doc Type: ---
Doc Text:
A host header injection flaw was found in the twisted event-based framework's web module. When the host header does not match a configured host, the web module will render unescaped characters into the 404 response. This can result in HTML and script injection. For this vulnerability to be exploited, the attacker needs to be in a privileged position.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description ybuenos 2022-11-02 13:57:25 UTC
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.


Note You need to log in before you can comment on or make changes to this bug.