PYSEC-2022-160 — Vulnetix

PYSEC-2022-160 PUBLISHED

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

Affected Products

Vendor	Product	Versions
PyPI	twisted	0, 21.7.0, 22.1.0

Timeline

Mar 3, 2022 CVE Published
Nov 8, 2023 CVE Updated

References

https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx advisory
https://twistedmatrix.com/trac/ticket/10284 url
https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9 fix
https://github.com/twisted/twisted/releases/tag/twisted-22.2.0 fix

Open in Interactive Console →