Medium severity5.4NVD Advisory· Published Oct 26, 2022· Updated Jun 17, 2026
CVE-2022-39348
CVE-2022-39348
Description
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
TwistedPyPI | >= 0.9.4, < 22.10.0rc1 | 22.10.0rc1 |
Affected products
14- ghsa-coords13 versionspkg:pypi/twistedpkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Twisted&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/python-Twisted&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Twisted&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 0.9.4, < 22.10.0rc1+ 12 more
- (no CPE)range: >= 0.9.4, < 22.10.0rc1
- (no CPE)range: < 19.10.0-150200.3.18.1
- (no CPE)range: < 22.2.0-150400.5.7.1
- (no CPE)range: < 22.10.0-1.1
- (no CPE)range: < 15.2.1-9.23.1
- (no CPE)range: < 19.10.0-150200.3.18.1
- (no CPE)range: < 19.10.0-150200.3.18.1
- (no CPE)range: < 22.2.0-150400.5.7.1
- (no CPE)range: < 15.2.1-9.23.1
- (no CPE)range: < 15.2.1-9.23.1
- (no CPE)range: < 15.2.1-9.23.1
- (no CPE)range: < 15.2.1-9.23.1
- (no CPE)range: < 15.2.1-9.23.1
Patches
Vulnerability mechanics
References
8- github.com/twisted/twisted/commit/f2f5e81c03f14e253e85fe457e646130780db40bnvdPatchWEB
- github.com/twisted/twisted/commit/f49041bb67792506d85aeda9cf6157e92f8048f4nvdPatchWEB
- github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647nvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-vg46-2rrj-3647ghsaADVISORY
- lists.debian.org/debian-lts-announce/2022/11/msg00038.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-39348ghsaADVISORY
- security.gentoo.org/glsa/202301-02nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2024/11/msg00028.htmlnvdWEB
News mentions
0No linked articles in our index yet.