CVE-2023-46137

EUVD-2023-0250
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
twistedtwisted
𝑥
≤ 22.8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twisted
bookworm
22.4.0-4+deb12u1
fixed
bookworm (security)
22.4.0-4+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
20.3.0-7+deb11u2
fixed
buster
no-dsa
sid
24.11.0-1
fixed
trixie
24.11.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
twisted
bionic
needs-triage
focal
Fixed 18.9.0-11ubuntu0.20.04.3
released
jammy
Fixed 22.1.0-2ubuntu2.4
released
lunar
Fixed 22.4.0-4ubuntu0.23.04.1
released
mantic
Fixed 22.4.0-4ubuntu0.23.10.1
released
noble
Fixed 22.4.0-4ubuntu1
released
oracular
Fixed 22.4.0-4ubuntu1
released
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
https://lists.debian.org/debian-lts-announce/2024/11/msg00028.html