CVE-2022-39348

Aliases:GHSA-vg46-2rrj-3647

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2022-39348 DLA-3212-1 DLA-3970-1 MGASA-2023-0061 OPENSUSE-SU-2024:12474-1 SUSE-SU-2022:4000-1

Modified

Published: 26 Oct 2022, 00:00

Last modified:03 Nov 2025, 21:46

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.4 MEDIUM

v3.1 (cve.org)

EPSS Score

1.2% LOW

1% probability +0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

26 Oct 2022, 00:00

Published

Vulnerability first disclosed

03 Nov 2025, 21:46

Last Modified

Vulnerability information updated

Description

Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.

CVSS Metrics

v4.0•MEDIUM•Score: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 1.20%• Percentile: 79%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80•Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Affected Systems

debian•debian_linux
10.0
PyPI•twisted
≥ 0.9.4, < 22.10.0rc1
twisted•twisted
≥ 0.9.4, < 22.10.0rc1 | ≥ 0.9.4, < 22.10.0