Source: twisted Version: 22.4.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 20.3.0-7+deb11u1 Control: found -1 20.3.0-7
Hi, The following vulnerability was published for twisted. CVE-2022-39348[0]: | Twisted is an event-based framework for internet applications. Started | with version 0.9.4, when the host header does not match a configured | host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` | resource which renders the Host header unescaped into the 404 response | allowing HTML and script injection. In practice this should be very | difficult to exploit as being able to modify the Host header of a | normal HTTP request implies that one is already in a privileged | position. This issue was fixed in version 22.10.0rc1. There are no | known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39348 https://www.cve.org/CVERecord?id=CVE-2022-39348 [1] https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647 [2] https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b Regards, Salvatore
