Concerns Regarding cPanel's Use of Python Twisted Framework - CVE Vulnerabilities
Dear Community,
I wanted to raise awareness regarding the use of Python Twisted framework version 16.6.0 within cPanel's CCS packages. Recently, one of our clients underwent an audit by an external security firm and was advised about potential vulnerabilities associated with the usage of this older Twisted version. Specifically, they highlighted the following CVE notices:
- CVE-2020-10108
- CVE-2020-10109
- CVE-2022-24801
As a proactive measure, I initiated communication with cPanel, and they have acknowledged the concern by opening an internal case (CPANEL-43593). We've also submitted a ticket (ticket ID: #95165845) to address this issue.
This thread is being created to serve as a hub for information regarding cPanel's utilization of the Twisted framework. It aims to provide updates and essential details for our clients and anyone else seeking information on this matter.
Your participation and input in this discussion are highly encouraged and appreciated.
-
Hey hey! We are aware of the issue, and I'll be sure to post a reply once I have some official details from the development team.
1 -
Have we got any further news on this? We're seeing PCI failures regarding this too and it looks like there's been no update for a few months.
1 -
I don't have any updates at this time. Since we're going to be replacing the CCS product the most likely explanation is that we won't fix this, but it will simply no longer exist as that product fades out of use.
0 -
Thanks for the update. So we can look at plans for these short term, is there an estimated deployment time for the replacement?
If this will be a while, then we'll need to plan a removal of CCS for PCI compliance.
0 -
We just heard yesterday that this is happening in version 120, and we'll be posting more updates about the changes soon!
0
Please sign in to leave a comment.
Comments
5 comments