#VU61611 Origin validation error in Twisted Web - CVE-2022-21712


Vulnerability identifier: #VU61611

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-21712

CWE-ID: CWE-346

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Twisted Web
Server applications / Web servers

Vendor: Twisted Matrix Labs

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to origin validation error in the "twited.web.RedirectAgent" and "twisted.web.BrowserLikeRedirectAgent" functions. A remote attacker attacker can trick the victim to click on a specially crafted link and obtain cookies and authorization headers.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Twisted Web: 11.1.0 - 21.7.0

External links
https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for python-twisted
openEuler 22.03 LTS update for python-twisted
openEuler 20.03 LTS SP3 update for python-twisted
openEuler 20.03 LTS SP4 update for python-twisted
Multiple vulnerabilities in Dell PowerStore Family
Gentoo update for Twisted
SUSE update for python-Twisted
Information disclosure in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Fedora 35 update for python-twisted
Fedora 36 update for python-twisted