| Package | twisted |
|---|---|
| Version | 14.0.2-3+deb8u6 (jessie), 16.6.0-2+deb9u4 (stretch) |
| Related CVEs | CVE-2019-12387 CVE-2019-12855 CVE-2022-39348 |
Multiple vulnerabilities were discovered in Twisted, an event-based framework for internet applications written in Python. An attacker may initiate request smuggling, Man-In-The-Middle (MITM) communication interception and cross-site-scripting (XSS).
-
CVE-2019-12387
twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
-
CVE-2019-12855
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
-
CVE-2022-39348
When the host header does not match a configured host
twisted.web.vhost.NameVirtualHostwill return aNoResourceresource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position.
For Debian 8 jessie, these problems have been fixed in version 14.0.2-3+deb8u6.
For Debian 9 stretch, these problems have been fixed in version 16.6.0-2+deb9u4.
We recommend that you upgrade your twisted packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.