CVE-2022-24801
Vulnerability from cvelistv5
Published
2022-04-04 17:25
Modified
2024-08-03 04:20
Summary
HTTP Request Smuggling in twisted.web
Impacted products
twistedtwisted
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.509Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"
          },
          {
            "name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"
          },
          {
            "name": "FEDORA-2022-71b66d4747",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"
          },
          {
            "name": "FEDORA-2022-9a489fa494",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "twisted",
          "vendor": "twisted",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 22.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web\u0027s HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:52:09",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"
        },
        {
          "name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"
        },
        {
          "name": "FEDORA-2022-71b66d4747",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"
        },
        {
          "name": "FEDORA-2022-9a489fa494",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "advisory": "GHSA-c2jg-hw38-jrqq",
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Request Smuggling in twisted.web",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24801",
          "STATE": "PUBLIC",
          "TITLE": "HTTP Request Smuggling in twisted.web"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "twisted",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 22.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "twisted"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web\u0027s HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq",
              "refsource": "CONFIRM",
              "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"
            },
            {
              "name": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac",
              "refsource": "MISC",
              "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"
            },
            {
              "name": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1",
              "refsource": "MISC",
              "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"
            },
            {
              "name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"
            },
            {
              "name": "FEDORA-2022-71b66d4747",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"
            },
            {
              "name": "FEDORA-2022-9a489fa494",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-c2jg-hw38-jrqq",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24801",
    "datePublished": "2022-04-04T17:25:10",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:20:50.509Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24801\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-04-04T18:15:07.933\",\"lastModified\":\"2023-11-07T03:44:37.783\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web\u0027s HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.\"},{\"lang\":\"es\",\"value\":\"Twisted es un marco de trabajo basado en eventos para aplicaciones de Internet, que soporta Python versi\u00f3n 3.6+. versiones hasta 22.4.0rc1, el servidor Twisted Web HTTP 1.1, ubicado en el m\u00f3dulo \\\"twisted.web.http\\\", analizaba varias construcciones de peticiones HTTP de forma m\u00e1s indulgente de lo permitido por el RFC 7230. Este an\u00e1lisis no conforme puede conllevar a una desincronizaci\u00f3n si las peticiones pasan por varios analizadores HTTP, resultando potencialmente en un contrabando de peticiones HTTP. Los usuarios que pueden verse afectados usan el servidor y/o proxy HTTP versi\u00f3n 1.1 de Twisted Web y tambi\u00e9n pasan peticiones mediante un servidor y/o proxy HTTP diferente. El cliente de Twisted Web no est\u00e1 afectado. El servidor HTTP versi\u00f3n 2.0 usa un parser diferente, por lo que no est\u00e1 afectado. El problema ha sido abordado en Twisted 22.4.0rc1. Se presentan dos medidas de mitigaci\u00f3n disponibles: Asegurarse de que ha sido abordada cualquier vulnerabilidad en los proxies de subida, por ejemplo, actualiz\u00e1ndolos; o filtrar las peticiones malformadas por otros medios, como la configuraci\u00f3n de un proxy de subida\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"22.4.0\",\"matchCriteriaId\":\"6BE51A4E-B4B5-43AB-9C1A-46FC251C9BB6\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3E503FB-6279-4D4A-91D8-E237ECF9D2B0\"}]}]}],\"references\":[{\"url\":\"https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.