CVE-2022-21716
HIGH
Published Mar 3, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
Published Mar 3, 2022 4y ago
Last Modified Jun 17, 2026 2w ago
Description
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-120
CWE-770
Affected Products 7
| Vendor | Product | Version | Range |
|---|---|---|---|
| twisted | twisted | * | ≥21.7.0 – <22.2.0 |
| debian | debian_linux | 9.0 | any |
| oracle | http_server | 12.2.1.3.0 | any |
| oracle | http_server | 12.2.1.4.0 | any |
| oracle | zfs_storage_appliance_kit | 8.8 | any |
| fedoraproject | fedora | 35 | any |
| fedoraproject | fedora | 36 | any |
References 9
- github.com https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
- github.com https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
- github.com https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
- lists.debian.org https://lists.debian.org/debian-lts-announce/2022/03/msg00009.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
- security.gentoo.org https://security.gentoo.org/glsa/202301-02
- twistedmatrix.com https://twistedmatrix.com/trac/ticket/10284
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
Remediation
- github.com https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
- github.com https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
- oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html