CVE-2022-21712

一、漏洞信息
漏洞编号：CVE-2022-21712
漏洞归属组件：python-twisted
漏洞归属的版本：18.9.0
CVSS V3.0分值：
BaseScore：7.5 High
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞简述：
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.
漏洞公开时间：2022-02-08 06:15
漏洞创建时间：2022-02-20 07:49:51
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-21712

更多参考(点击展开)

参考来源	参考链接	来源链接
MISC	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
MISC	https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
CONFIRM	https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
MLIST	https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
nvd	https://access.redhat.com/security/cve/CVE-2022-21712
suse_bugzilla	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
suse_bugzilla	https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
suse_bugzilla	https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2051865
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21712
suse_bugzilla	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
suse_bugzilla	https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
suse_bugzilla	http://www.cvedetails.com/cve/CVE-2022-21712/
suse_bugzilla	https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
suse_bugzilla	https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx 22.1 (which is what we have in Factory
redhat_bugzilla	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
redhat_bugzilla	https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21712
ubuntu	https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
ubuntu	https://github.com/twisted/twisted/releases/tag/twisted-22.1.0
ubuntu	https://ubuntu.com/security/notices/USN-5354-1
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-21712
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-21712
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-21712
debian	https://security-tracker.debian.org/tracker/CVE-2022-21712
oracle	https://www.oracle.com/security-alerts/bulletinapr2022.html

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
其它
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
		https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2		MISC
		https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2		suse_bugzilla
		https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2		redhat_bugzilla

二、漏洞分析结构反馈
影响性分析说明：
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.
openEuler评分：
7.5
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP3(18.9.0):受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS(18.9.0):受影响
4.openEuler-20.03-LTS-SP1:不受影响
5.openEuler-22.03-LTS-SP1(22.4.0):不受影响
6.openEuler-22.03-LTS-SP2(22.4.0):不受影响
7.openEuler-22.03-LTS-SP3:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1:否
2.openEuler-20.03-LTS-SP3(18.9.0):否
3.openEuler-20.03-LTS-SP4:否
4.openEuler-22.03-LTS(18.9.0):否
5.openEuler-22.03-LTS-SP1(22.4.0):否
6.openEuler-22.03-LTS-SP2(22.4.0):否
7.openEuler-22.03-LTS-SP3:否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2023-1970

参考网址	关联pr	状态	补丁链接
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-21712	None	None	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://ubuntu.com/security/CVE-2022-21712	None	None	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-21712	None	None	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://nvd.nist.gov/vuln/detail/CVE-2022-21712	None	None	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2
https://security-tracker.debian.org/tracker/CVE-2022-21712	None	None	https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

该包在Epol下，目前处于unresolvable状态，上游无对应版本的修复补丁，高版本补丁适配代码量大，风险高，升级需要从18.9.0升级到22.1.0，升级风险也较大，暂不解决。

上游已发布最新稳定版22.4.0，可以考虑升级了
输入图片说明

该漏洞影响twisted >= 11.1, < 22.1版本，并在22.1版本修复。
当前社区维护分支22.03-LTS-SP1、22.03-LTS-SP1及22.03-LTS-SP3均为22.4.0版本，且22.03-LTS-SP1、22.03-LTS-SP2分支基线版本为22.4.0，已修复此漏洞，故不受影响

20.03分支、22.03-LTS版本为18.9.0，受此漏洞影响，需要修复。

参考链接：
https://github.com/advisories/GHSA-92x2-jw7w-xvvx

影响性分析说明：
twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web. BrowserLikeRedirectAgent functions. Users are advised to upgrade. There are no known workarounds.

openEuler评分：
7.5
Vector：CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1: 不受影响
2.openEuler-20.03-LTS-SP3(18.9.0): 受影响
3.openEuler-20.03-LTS-SP4: 受影响
4.openEuler-22.03-LTS(18.9.0): 受影响
5.openEuler-22.03-LTS-SP1(22.4.0): 不受影响
6.openEuler-22.03-LTS-SP2(22.4.0): 不受影响
7.openEuler-22.03-LTS-SP3: 不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1: 否
2.openEuler-20.03-LTS-SP3(18.9.0): 否
3.openEuler-20.03-LTS-SP4: 否
4.openEuler-22.03-LTS(18.9.0): 否
5.openEuler-22.03-LTS-SP1(22.4.0): 否
6.openEuler-22.03-LTS-SP2(22.4.0): 否
7.openEuler-22.03-LTS-SP3: 否

src-openEuler/python-twisted

内容风险标识

评论 (12)

src-openEuler/python-twisted .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-21712

评论 (12)

搜索帮助

src-openEuler/python-twisted