Your submission was sent successfully! Close

CVE-2022-21716

Published: 3 March 2022

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
twisted
Launchpad, Ubuntu, Debian
bionic
Released (17.9.0-2ubuntu0.3)
focal
Released (18.9.0-11ubuntu0.20.04.2)
impish
Released (20.3.0-7ubuntu1.1)
jammy
Released (22.1.0-2ubuntu2.1)
trusty
Released (13.2.0-1ubuntu1.2+esm2)
upstream
Released (22.2.0)
xenial
Released (16.0.0-1ubuntu0.4+esm1)