CVE-2022-21716

HIGH
Published Mar 3, 20224y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 3, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-120
CWE-770

Affected Products 7

VendorProductVersionRange
twistedtwisted*≥21.7.0  –  <22.2.0
debiandebian_linux9.0any
oraclehttp_server12.2.1.3.0any
oraclehttp_server12.2.1.4.0any
oraclezfs_storage_appliance_kit8.8any
fedoraprojectfedora35any
fedoraprojectfedora36any

References 9

  • github.com https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
    PatchThird Party Advisory
  • github.com https://github.com/twisted/twisted/releases/tag/twisted-22.2.0
    Release NotesThird Party Advisory
  • github.com https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
    ExploitPatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/03/msg00009.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
  • security.gentoo.org https://security.gentoo.org/glsa/202301-02
    Third Party Advisory
  • twistedmatrix.com https://twistedmatrix.com/trac/ticket/10284
    Issue TrackingVendor Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9
    PatchThird Party Advisory
  • github.com https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
    ExploitPatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory