CVE-2023-46137

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
twistedtwisted
𝑥
≤ 22.8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twisted
bullseye
vulnerable
buster
no-dsa
bullseye (security)
20.3.0-7+deb11u2
fixed
bookworm
22.4.0-4+deb12u1
fixed
bookworm (security)
22.4.0-4+deb12u1
fixed
trixie
24.11.0-1
fixed
sid
24.11.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
twisted
oracular
Fixed 22.4.0-4ubuntu1
released
noble
Fixed 22.4.0-4ubuntu1
released
mantic
Fixed 22.4.0-4ubuntu0.23.10.1
released
lunar
Fixed 22.4.0-4ubuntu0.23.04.1
released
jammy
Fixed 22.1.0-2ubuntu2.4
released
focal
Fixed 18.9.0-11ubuntu0.20.04.3
released
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm