1. Home
  2. CVE Database
  3. CVE-2022-39348
MEDIUM · 5.4

CVE-2022-39348

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoRe...

Vulnerability Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
TwistedTwisted>= 0.9.4, < 22.10.0
DebianDebian Linux10.0

Related Weaknesses (CWE)

CWE-79CWE-80

References

FAQ

What is CVE-2022-39348?

CVE-2022-39348 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoRe...

How severe is CVE-2022-39348?

CVE-2022-39348 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39348?

Check the references section above for vendor advisories and patch information. Affected products include: Twisted Twisted, Debian Debian Linux.