{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T02:53:34.847Z", "dateReserved": "2021-11-16T00:00:00", "datePublished": "2022-02-07T00:00:00"}, "containers": {"cna": {"title": "Cookie and header exposure in twisted", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds."}], "affected": [{"vendor": "twisted", "product": "twisted", "versions": [{"version": ">= 11.1, < 22.1", "status": "affected"}]}], "references": [{"url": "https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx"}, {"url": "https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2"}, {"url": "https://github.com/twisted/twisted/releases/tag/twisted-22.1.0"}, {"name": "[debian-lts-announce] 20220219 [SECURITY] [DLA 2927-1] twisted security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}, {"name": "FEDORA-2022-71b66d4747", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"name": "FEDORA-2022-9a489fa494", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"name": "GLSA-202301-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202301-02"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200"}]}], "source": {"advisory": "GHSA-92x2-jw7w-xvvx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:34.847Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx", "tags": ["x_transferred"]}, {"url": "https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2", "tags": ["x_transferred"]}, {"url": "https://github.com/twisted/twisted/releases/tag/twisted-22.1.0", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220219 [SECURITY] [DLA 2927-1] twisted security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}, {"name": "FEDORA-2022-71b66d4747", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"name": "FEDORA-2022-9a489fa494", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"name": "GLSA-202301-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202301-02"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB3625CB-8933-4E70-A2B4-C970732F9E43", "versionEndExcluding": "22.1.0", "versionStartIncluding": "11.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds."}, {"lang": "es", "value": "twisted es un motor de red basado en eventos escrito en Python. En las versiones afectadas, twisted expone las cookies y los encabezados de autorizaci\u00f3n cuando sigue redireccionamientos de origen cruzado. Este problema est\u00e1 presente en \"twited.web.RedirectAgent\" y \"twisted.web. BrowserLikeRedirectAgent\". Es recomendado a usuarios que actualicen. No hay medidas de mitigaci\u00f3n adicionales conocidas"}], "id": "CVE-2022-21712", "lastModified": "2023-11-07T03:43:42.170", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-02-07T22:15:08.587", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.1.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202301-02"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0982", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-twisted-0:16.4.1-19.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-03-24T00:00:00Z"}, {"advisory": "RHSA-2022:0992", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-twisted-0:16.4.1-19.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-03-23T00:00:00Z"}], "bugzilla": {"description": "dev-python/twisted: secret exposure in cross-origin redirects", "id": "2051865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2051865"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-346", "details": ["twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.", "A flaw was found in the twisted Python library when WebClient redirects via the RedirectAgent and BrowserLikeRedirectAgent methods. This flaw allows an attacker to take advantage of these cross-origin redirects and leak the cookie and authorization headers."], "name": "CVE-2022-21712", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "twisted[tls]", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "twisted[tls]", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-twisted-core", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-twisted", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "python-twisted", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-twisted-core", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Will not fix", "package_name": "python-twisted", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2022-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-21712\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-21712\nhttps://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx"], "threat_severity": "Moderate", "upstream_fix": "twisted 22.1"}