Lucene search

K
cvelistGitHub_MCVELIST:CVE-2022-21712
HistoryFeb 07, 2022 - 12:00 a.m.

CVE-2022-21712 Cookie and header exposure in twisted

2022-02-0700:00:00
CWE-200
GitHub_M
www.cve.org
5
cve-2022-21712
twisted
python
networking
cookies
headers
cross-origin
redirects
security
upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.6

Confidence

High

EPSS

0.004

Percentile

74.8%

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "twisted",
    "product": "twisted",
    "versions": [
      {
        "version": ">= 11.1, < 22.1",
        "status": "affected"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.6

Confidence

High

EPSS

0.004

Percentile

74.8%