CVE-2022-39348 (Medium) detected in Twisted-22.4.0-py3-none-any.whl

[mend-bolt-for-github[bot]]

CVE-2022-39348 - Medium Severity Vulnerability

Vulnerable Library - Twisted-22.4.0-py3-none-any.whl

An asynchronous networking framework written in Python

Library home page: https://files.pythonhosted.org/packages/db/99/38622ff95bb740bcc991f548eb46295bba62fcb6e907db1987c4d92edd09/Twisted-22.4.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - Scrapy-2.6.2-py2.py3-none-any.whl (Root Library) - :x: **Twisted-22.4.0-py3-none-any.whl** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39348

CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Release Date: 2022-10-26

Fix Resolution: twisted - 19.2.1,18.4.0;Twisted - 22.10.0rc1

---

Step up your Open Source Security Game with Mend here