{
  "threat_severity" : "Moderate",
  "public_date" : "2022-02-08T00:00:00Z",
  "bugzilla" : {
    "description" : "dev-python/twisted: secret exposure in cross-origin redirects",
    "id" : "2051865",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2051865"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-346",
  "details" : [ "twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.", "A flaw was found in the twisted Python library when WebClient redirects via the RedirectAgent and BrowserLikeRedirectAgent methods. This flaw allows an attacker to take advantage of these cross-origin redirects and leak the cookie and authorization headers." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2022-03-24T00:00:00Z",
    "advisory" : "RHSA-2022:0982",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "python-twisted-0:16.4.1-19.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2022-03-23T00:00:00Z",
    "advisory" : "RHSA-2022:0992",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "python-twisted-0:16.4.1-19.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 1.2",
    "fix_state" : "Affected",
    "package_name" : "twisted[tls]",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "twisted[tls]",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Out of support scope",
    "package_name" : "python-twisted-core",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python-twisted",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "python-twisted",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Will not fix",
    "package_name" : "python-twisted",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "python-twisted-core",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Service Telemetry Framework 1.3 for RHEL 8",
    "fix_state" : "Will not fix",
    "package_name" : "python-twisted",
    "cpe" : "cpe:/a:redhat:stf:1.3::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-21712\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-21712\nhttps://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx" ],
  "name" : "CVE-2022-21712",
  "csaw" : false
}