Bugzilla – Bug 1195667
VUL-0: CVE-2022-21712: python-Twisted: secret exposure in cross-origin redirects
Last modified: 2022-06-10 09:02:59 UTC
rh#2051865 twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds. https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 https://github.com/twisted/twisted/releases/tag/twisted-22.1.0 https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx References: https://bugzilla.redhat.com/show_bug.cgi?id=2051865 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21712 https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx http://www.cvedetails.com/cve/CVE-2022-21712/ https://github.com/twisted/twisted/releases/tag/twisted-22.1.0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21712
Affected: - SUSE:SLE-12:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP4:Update - openSUSE:Factory
According to https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx 22.1 (which is what we have in Factory) has been patched.
SLE-15-SP4:GA https://build.suse.de/request/show/264768
openSUSE-SU-2022:0499-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1195667 CVE References: CVE-2022-21712 JIRA References: Sources used: openSUSE Leap 15.4 (src): python-Twisted-19.10.0-3.6.1 openSUSE Leap 15.3 (src): python-Twisted-19.10.0-3.6.1
SUSE-SU-2022:0499-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1195667 CVE References: CVE-2022-21712 JIRA References: Sources used: SUSE Manager Server 4.1 (src): python-Twisted-19.10.0-3.6.1 SUSE Manager Retail Branch Server 4.1 (src): python-Twisted-19.10.0-3.6.1 SUSE Manager Proxy 4.1 (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): python-Twisted-19.10.0-3.6.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): python-Twisted-19.10.0-3.6.1 SUSE Enterprise Storage 7 (src): python-Twisted-19.10.0-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0734-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1195667 CVE References: CVE-2022-21712 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): python-Twisted-15.2.1-9.11.1 SUSE OpenStack Cloud Crowbar 8 (src): python-Twisted-15.2.1-9.11.1 SUSE OpenStack Cloud 9 (src): python-Twisted-15.2.1-9.11.1 SUSE OpenStack Cloud 8 (src): python-Twisted-15.2.1-9.11.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): python-Twisted-15.2.1-9.11.1 HPE Helion Openstack 8 (src): python-Twisted-15.2.1-9.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.