PT-2021-7398 · Twisted+5 · Twisted+5

Published

2021-12-24

Updated

2025-09-22

CVE-2022-21716

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Twisted versions prior to 22.2.0

Description The Twisted SSH client and server implementation is vulnerable to a denial of service attack due to its ability to accept an infinite amount of data for the peer's SSH version identifier, resulting in a buffer using all available memory. A malicious peer can craft a request that crashes the server. The attack can be as simple as using nc -rv localhost 22 < /dev/zero.

Recommendations For versions prior to 22.2.0, update to version 22.2.0 to resolve the issue. As a temporary workaround, consider limiting access to the SSH server to only trusted source IP addresses. Additionally, connect over SSH only to trusted destination IP addresses to minimize the risk of exploitation.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-120

Related Identifiers

BDU:2022-05982

CVE-2022-21716

DLA-2938-1

GHSA-RV6R-3F5Q-9RGX

MGASA-2022-0168

OESA-2023-1908

OESA-2023-1909

OESA-2023-1970

OPENSUSE-SU-2022_2070-1

OPENSUSE-SU-2022_2297-1

OPENSUSE-SU-2024:11978-1

PYSEC-2022-160

RHSA-2022:0982

RHSA-2022:0992

SUSE-SU-2022:2070-1

SUSE-SU-2022:2117-1

SUSE-SU-2022:2297-1

SUSE-SU-2022_2070-1

SUSE-SU-2022_2117-1

SUSE-SU-2022_2297-1

USN-5354-1

USN-5354-2

Affected Products

Astra Linux

Linuxmint

Red Os

Suse

Twisted

Ubuntu

PT-2021-7398 · Twisted+5 · Twisted+5

CVE-2022-21716

Weakness Enumeration

Related Identifiers

Affected Products

References · 67