#VU61611 Origin validation error in Twisted Web


Published: 2022-03-24

Vulnerability identifier: #VU61611

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21712

CWE-ID: CWE-346

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Twisted Web
Server applications / Web servers

Vendor: Twisted Matrix Labs

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to origin validation error in the "twited.web.RedirectAgent" and "twisted.web.BrowserLikeRedirectAgent" functions. A remote attacker attacker can trick the victim to click on a specially crafted link and obtain cookies and authorization headers.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Twisted Web: 11.1.0 - 21.7.0

External links
http://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
http://github.com/twisted/twisted/releases/tag/twisted-22.1.0
http://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS update for python-twisted
openEuler 20.03 LTS SP3 update for python-twisted
openEuler 20.03 LTS SP4 update for python-twisted
Multiple vulnerabilities in Dell PowerStore Family
Gentoo update for Twisted
SUSE update for python-Twisted
Information disclosure in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in Oracle Solaris
Ubuntu update for twisted
Red Hat OpenStack Platform 16.2 update for python-twisted