{"containers": {"cna": {"affected": [{"product": "twisted", "vendor": "twisted", "versions": [{"status": "affected", "version": "<= 22.2.0"}]}], "descriptions": [{"lang": "en", "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:52:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"}, {"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"}, {"name": "FEDORA-2022-71b66d4747", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"name": "FEDORA-2022-9a489fa494", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "source": {"advisory": "GHSA-c2jg-hw38-jrqq", "discovery": "UNKNOWN"}, "title": "HTTP Request Smuggling in twisted.web", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24801", "STATE": "PUBLIC", "TITLE": "HTTP Request Smuggling in twisted.web"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "twisted", "version": {"version_data": [{"version_value": "<= 22.2.0"}]}}]}, "vendor_name": "twisted"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq", "refsource": "CONFIRM", "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"}, {"name": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac", "refsource": "MISC", "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"}, {"name": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1", "refsource": "MISC", "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"}, {"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"}, {"name": "FEDORA-2022-71b66d4747", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"name": "FEDORA-2022-9a489fa494", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}, "source": {"advisory": "GHSA-c2jg-hw38-jrqq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.509Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"}, {"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"}, {"name": "FEDORA-2022-71b66d4747", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"name": "FEDORA-2022-9a489fa494", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24801", "datePublished": "2022-04-04T17:25:10", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.509Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE51A4E-B4B5-43AB-9C1A-46FC251C9BB6", "versionEndExcluding": "22.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy."}, {"lang": "es", "value": "Twisted es un marco de trabajo basado en eventos para aplicaciones de Internet, que soporta Python versi\u00f3n 3.6+. versiones hasta 22.4.0rc1, el servidor Twisted Web HTTP 1.1, ubicado en el m\u00f3dulo \"twisted.web.http\", analizaba varias construcciones de peticiones HTTP de forma m\u00e1s indulgente de lo permitido por el RFC 7230. Este an\u00e1lisis no conforme puede conllevar a una desincronizaci\u00f3n si las peticiones pasan por varios analizadores HTTP, resultando potencialmente en un contrabando de peticiones HTTP. Los usuarios que pueden verse afectados usan el servidor y/o proxy HTTP versi\u00f3n 1.1 de Twisted Web y tambi\u00e9n pasan peticiones mediante un servidor y/o proxy HTTP diferente. El cliente de Twisted Web no est\u00e1 afectado. El servidor HTTP versi\u00f3n 2.0 usa un parser diferente, por lo que no est\u00e1 afectado. El problema ha sido abordado en Twisted 22.4.0rc1. Se presentan dos medidas de mitigaci\u00f3n disponibles: Asegurarse de que ha sido abordada cualquier vulnerabilidad en los proxies de subida, por ejemplo, actualiz\u00e1ndolos; o filtrar las peticiones malformadas por otros medios, como la configuraci\u00f3n de un proxy de subida"}], "id": "CVE-2022-24801", "lastModified": "2023-11-07T03:44:37.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-04-04T18:15:07.933", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:4930", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-twisted-web-0:12.1.0-8.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-06-07T00:00:00Z"}, {"advisory": "RHSA-2022:1646", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-twisted-0:16.4.1-20.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-04-29T00:00:00Z"}, {"advisory": "RHSA-2022:1645", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-twisted-0:16.4.1-20.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-04-29T00:00:00Z"}], "bugzilla": {"description": "python-twisted: possible http request smuggling", "id": "2073114", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073114"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-444", "details": ["Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.", "A flaw was found in python-twisted. This vulnerability occurs due to the parsing of illegal constructs in the twisted.web.http module. The illegal constructs include '+/-' in the Content-Length header, '\\n and \\t' etc. Non-conformant parsing leads to a desync if requests pass through multiple HTTP parsers. This flaw allows a remote attacker to perform an HTTP request smuggling attack."], "mitigation": {"lang": "en:us", "value": "Filter malformed requests like '+ or -' in Content-Length header, Illegal characters like LF(\\n) and HTAB(\\t), and 0x prefixes in HTTP Headers."}, "name": "CVE-2022-24801", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-twisted", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "python-twisted", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-twisted", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-twisted", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.3::el8", "fix_state": "Affected", "package_name": "python-twisted", "product_name": "Service Telemetry Framework 1.3 for RHEL 8"}], "public_date": "2022-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24801\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24801\nhttps://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq"], "statement": "Red Hat Enterprise Linux 6 was affected but Out of Support Cycle because python-twisted was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List.\nhttps://access.redhat.com/articles/4997301", "threat_severity": "Important", "upstream_fix": "twisted 22.4.0"}