{"id":"PYSEC-2022-160","details":"Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 \u003c /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.","aliases":["CVE-2022-21716","GHSA-rv6r-3f5q-9rgx"],"modified":"2023-11-01T05:18:47.318692Z","published":"2022-03-03T21:15:00Z","references":[{"type":"FIX","url":"https://github.com/twisted/twisted/commit/89c395ee794e85a9657b112c4351417850330ef9"},{"type":"ADVISORY","url":"https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx"},{"type":"WEB","url":"https://twistedmatrix.com/trac/ticket/10284"},{"type":"WEB","url":"https://github.com/twisted/twisted/releases/tag/twisted-22.2.0"}],"affected":[{"package":{"name":"twisted","ecosystem":"PyPI","purl":"pkg:pypi/twisted"},"ranges":[{"type":"GIT","repo":"https://github.com/twisted/twisted","events":[{"introduced":"0"},{"fixed":"89c395ee794e85a9657b112c4351417850330ef9"}]},{"type":"ECOSYSTEM","events":[{"introduced":"21.7.0"},{"fixed":"22.2.0"}]}],"versions":["21.7.0","22.1.0","22.1.0rc1","22.2.0rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/twisted/PYSEC-2022-160.yaml"}}],"schema_version":"1.7.3"}