CVE-2022-39348

Name of the Vulnerable Software and Affected Versions Twisted versions 0.9.4 through 22.10.0rc1

Description The issue is related to the Twisted event-based framework for internet applications. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response, allowing HTML and script injection. This could potentially allow a remote attacker to access and compromise confidential data. However, exploitation is considered difficult as it requires the ability to modify the Host header of a normal HTTP request, implying a privileged position.

Recommendations For Twisted versions 0.9.4 through 22.10.0rc1, update to version 22.10.0rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the twisted.web.vhost.NameVirtualHost module until a patch is available. Avoid using the Host header in the affected API endpoint until the issue is resolved.