CVE-2022-24801

CWE-444 — HTTP Request Smuggling10 documents9 sources

Severity

8.1HIGH

EPSS

1.1%

top 22.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Twisted Twisted Debian Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedApr 4

Latest updateAug 24

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pa…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages6 packages

▶PyPITwisted< 22.4.0

▶PyPItwisted< 22.4.0

▶NVDtwisted/twisted< 22.4.0

▶Debiantwisted< 20.3.0-7+deb11u1+3

▶CVEListV5twisted/twisted22.2.0

Also affects: Debian Linux 9.0, Fedora 35, 36

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

HTTP Request Smuggling in twisted.web↗2022-04-04

▶

OSV

CVE-2022-24801: Twisted is an event-based framework for internet applications, supporting Python 3↗2022-04-04

▶

OSV

Inconsistent Interpretation of HTTP Requests in twisted.web↗2022-04-04

▶

GHSA

Inconsistent Interpretation of HTTP Requests in twisted.web↗2022-04-04

▶

📋Vendor Advisories

Ubuntu

Twisted vulnerability↗2022-08-24

▶

Oracle

Oracle Oracle Systems Risk Matrix: Operating System Image — CVE-2022-24801↗2022-07-15

▶

Microsoft

HTTP Request Smuggling in twisted.web↗2022-04-12

▶

Red Hat

python-twisted: possible http request smuggling↗2022-04-04

▶

Debian

CVE-2022-24801: twisted - Twisted is an event-based framework for internet applications, supporting Python...↗2022

▶