PYSEC-2022-160

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2022-160.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2022-160
Aliases
Published
2022-03-03T21:15:00Z
Modified
2023-11-08T04:08:09.232676Z
Summary
[none]
Details

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as nc -rv localhost 22 < /dev/zero. A patch is available in version 22.2.0. There are currently no known workarounds.

References

Affected packages

PyPI / twisted

Package

Affected ranges

Type
GIT
Repo
https://github.com/twisted/twisted
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
21.7.0
Fixed
22.2.0

Affected versions

21.*

21.7.0

22.*

22.1.0rc1
22.1.0
22.2.0rc1