Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
Metrics
Affected Vendors & Products
References
History
Mon, 25 Nov 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Twisted
Twisted twisted |
|
CPEs | cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:* | |
Vendors & Products |
Twistedmatrix
Twistedmatrix twisted |
Twisted
Twisted twisted |
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-10-26T00:00:00
Updated: 2024-08-03T12:00:44.145Z
Reserved: 2022-09-02T00:00:00
Link: CVE-2022-39348
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-10-26T20:15:10.580
Modified: 2024-11-25T18:12:24.673
Link: CVE-2022-39348
Redhat