CVE-2022-21712

Cookie and header exposure in twisted

Description

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.

References

Link	Tags
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx	third party advisory
https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2	third party advisory patch
https://github.com/twisted/twisted/releases/tag/twisted-22.1.0	third party advisory release notes
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
https://security.gentoo.org/glsa/202301-02

Frequently Asked Questions

What is the severity of CVE-2022-21712?: CVE-2022-21712 has been scored as a high severity vulnerability.
How to fix CVE-2022-21712?: To fix CVE-2022-21712, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-21712 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-21712 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-21712?: CVE-2022-21712 affects twisted twisted.

Description

Categories

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-346 – Origin Validation Error

References

Frequently Asked Questions