Bug 2139431 (CVE-2022-39348) - CVE-2022-39348 python-twisted: NameVirtualHost Host header injection
Summary: CVE-2022-39348 python-twisted: NameVirtualHost Host header injection
Keywords:
Status: NEW
Alias: CVE-2022-39348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2139627 2143620 2143621 2139628 2139629 2139630
Blocks: 2138869
TreeView+ depends on / blocked
 
Reported: 2022-11-02 13:57 UTC by ybuenos
Modified: 2023-01-20 05:19 UTC (History)
52 users (show)

Fixed In Version: python-twisted 22.10.0
Doc Type: ---
Doc Text:
A host header injection flaw was found in the twisted event-based framework's web module. When the host header does not match a configured host, the web module will render unescaped characters into the 404 response. This can result in HTML and script injection. For this vulnerability to be exploited, the attacker needs to be in a privileged position.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description ybuenos 2022-11-02 13:57:25 UTC
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4


Note You need to log in before you can comment on or make changes to this bug.