Debian LTS DLA-3970-1: twisted security issues and updates
debian lts
November 28, 2024
Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scriptin...
Summary
CVE-2022-39348
When the host header does not match a configured host
`twisted.web.vhost.NameVirtualHost` will return a `NoResource`
resource which renders the Host header unescaped into the 404
response allowing HTML and script injection. In practice this
should be very difficult to exploit as being able to modify the
Host header of a normal HTTP request implies that one is already
in a privileged position.
CVE-2023-46137
When sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the
response order. If one of the endpoints is controlled by an
attacker, the attacker can delay the response on purpose to
manipulate the response of the second request when a victim
launched two requests using HTTP pipeline.
CVE-2024-41671
The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in
information disclosure.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: twisted
Version: 20.3.0-7+deb11u2
CVE ID: CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810
Debian Bug: 1023359 1054913 1077679 1077680
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!