CVE-2022-39348

MEDIUM

Twisted 0.9.4-22.10.0rc1 - Cross-Site Scripting via Host Header in NameVirtualHost

Title source: llm

Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html

Patch

https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b

View Patch ZIP pw:eip

Patch

https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4

View Patch ZIP pw:eip

Exploit, Patch, Third Party Advisory

https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202301-02

Scores

CVSS v3 5.4

EPSS 0.0120

EPSS Percentile 79.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79

Status published

Products (3)

debian/debian_linux 10.0

pypi/Twisted 0.9.4 - 22.10.0rc1PyPI

twisted/twisted 0.9.4 - 22.10.0

Published Oct 26, 2022

Tracked Since Feb 18, 2026