Debian Bug report logs -
#1023359
twisted: CVE-2022-39348: NameVirtualHost Host header injection
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 2 Nov 2022 20:36:02 UTC
Severity: important
Tags: security, upstream
Found in versions twisted/22.4.0-3, twisted/20.3.0-7, twisted/20.3.0-7+deb11u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1023359; Package src:twisted.
(Wed, 02 Nov 2022 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Wed, 02 Nov 2022 20:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: twisted
Version: 22.4.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 20.3.0-7+deb11u1
Control: found -1 20.3.0-7
Hi,
The following vulnerability was published for twisted.
CVE-2022-39348[0]:
| Twisted is an event-based framework for internet applications. Started
| with version 0.9.4, when the host header does not match a configured
| host `twisted.web.vhost.NameVirtualHost` will return a `NoResource`
| resource which renders the Host header unescaped into the 404 response
| allowing HTML and script injection. In practice this should be very
| difficult to exploit as being able to modify the Host header of a
| normal HTTP request implies that one is already in a privileged
| position. This issue was fixed in version 22.10.0rc1. There are no
| known workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39348
https://www.cve.org/CVERecord?id=CVE-2022-39348
[1] https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647
[2] https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b
Regards,
Salvatore
Marked as found in versions twisted/20.3.0-7+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 02 Nov 2022 20:36:04 GMT) (full text, mbox, link).
Marked as found in versions twisted/20.3.0-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 02 Nov 2022 20:36:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Nov 3 13:24:55 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon