Cross-site Scripting (XSS) Affecting python-twisted-web package, versions *


Severity

Recommended
low

Based on Red Hat Enterprise Linux security rating

    Threat Intelligence

    EPSS
    0.16% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RHEL7-PYTHONTWISTEDWEB-3099652
  • published 3 Nov 2022
  • disclosed 26 Oct 2022

How to fix?

There is no fixed version for RHEL:7 python-twisted-web.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-twisted-web package and not the python-twisted-web package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

CVSS Scores

version 3.1
Expand this section

NVD

5.4 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

Red Hat

5.4 medium
Expand this section

SUSE

3.7 low