Home > Vulnerability Database > CVE-2022-39348

Mend.io Vulnerability Database

CVE-2022-39348

Date: October 26, 2022

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Language: Python

Severity Score

9.8

Related Resources (9)

Url: https://access.redhat.com/security/cve/CVE-2022-39348

Url: https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Url: https://github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40b

Url: https://github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4

Url: https://security-tracker.debian.org/tracker/CVE-2022-39348

Url: https://lists.debian.org/debian-lts-announce/2022/11/msg00038.html

Url: https://security.gentoo.org/glsa/202301-02

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Url: https://www.mend.io/vulnerability-database/CVE-2022-39348

Severity Score

9.8

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39348

Date: October 26, 2022

Language: Python

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?