GHSA-8R99-H8J2-RW64

Vulnerability from github – Published: 2022-10-07 07:31 – Updated: 2022-10-07 07:31
VLAI
Summary
Twisted vulnerable to HTTP Request Smuggling Attacks
Details

Impact

Twisted Web is vulnerable to request smuggling attacks:

  1. "When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body as a pipelined request. According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response." (Jake Miller of Bishop Fox Security)
  2. " When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length." (Jake Miller of Bishop Fox Security)
  3. ~"Twisted should not allow BWS between the filed-name and colon." (ZeddYu Lu)~ closed in 9646
  4. "Two CL header with different values is also not allowed." (ZeddYu Lu)
  5. "Only accept identity and chunked Transport-Encoding." (ZeddYu Lu)

Patches

https://github.com/twisted/twisted/commit/20c787a14a09e7cbd5dfd8df08ceff00d1fcc081 https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281

Workarounds

N/A

References

https://portswigger.net/web-security/request-smuggling

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "twisted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-07T07:31:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nTwisted Web is vulnerable to request smuggling attacks:\n\n1. \"When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body as a pipelined request. According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.\" (Jake Miller of Bishop Fox Security)\n2. \" When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length.\" (Jake Miller of Bishop Fox Security)\n3. ~\"Twisted should not allow BWS between the filed-name and colon.\" (ZeddYu Lu)~ _closed in 9646_\n4. \"Two CL header with different values is also not allowed.\" (ZeddYu Lu)\n5. \"Only accept identity and chunked Transport-Encoding.\" (ZeddYu Lu)\n\n### Patches\nhttps://github.com/twisted/twisted/commit/20c787a14a09e7cbd5dfd8df08ceff00d1fcc081\nhttps://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281\n\n### Workarounds\nN/A\n\n### References\nhttps://portswigger.net/web-security/request-smuggling\n",
  "id": "GHSA-8r99-h8j2-rw64",
  "modified": "2022-10-07T07:31:33Z",
  "published": "2022-10-07T07:31:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/security/advisories/GHSA-8r99-h8j2-rw64"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/20c787a14a09e7cbd5dfd8df08ceff00d1fcc081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twisted/twisted"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Twisted vulnerable to HTTP Request Smuggling Attacks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.