CVE-2023-46137
published 2023-10-25CVE-2023-46137: Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.77%
50.9th percentile
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | twisted | < twisted 22.4.0-4+deb12u1 (bookworm) | twisted 22.4.0-4+deb12u1 (bookworm) |
| msrc | azl3_python-twisted_22.10.0-4_on_azure_linux_3.0 | — | — |
| msrc | cbl2_python-twisted_22.10.0-4_on_cbl_mariner_2.0 | — | — |
| twisted | twisted | <= 22.8.0 | — |
| twisted | twisted | — | — |
| twisted | twisted | >= 0 < 20.3.0-7+deb11u2 | 20.3.0-7+deb11u2 |
| twisted | twisted | >= 0 < 22.4.0-4+deb12u1 | 22.4.0-4+deb12u1 |
| twisted | twisted | >= 0 < 23.10.0-1 | 23.10.0-1 |
| twisted | twisted | >= 0 < 23.10.0-1 | 23.10.0-1 |
| twisted | twisted | >= 0 < 23.10.0rc1 | 23.10.0rc1 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.3 | 18.9.0-11ubuntu0.20.04.3 |
| twisted | twisted | >= 0 < 22.1.0-2ubuntu2.4 | 22.1.0-2ubuntu2.4 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.4MEDIUM
vendor_ubuntu5.4MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
twisted vulnerabilities
osv·2024-01-10·CVSS 5.4
CVE-2022-39348 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
It was discovered that Twisted incorrectly escaped host headers in certain
404 responses. A remote attacker could possibly use this issue to perform
HTML and script injection attacks. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2022-39348)
It was discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay responses and manipulate the responses of second
requests. (CVE-2023-46137)
OSV
CVE-2023-46137: Twisted is an event-based framework for internet applications
osv·2023-10-25·CVSS 5.3
CVE-2023-46137 [MEDIUM] CVE-2023-46137: Twisted is an event-based framework for internet applications
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
GHSA
twisted.web has disordered HTTP pipeline response
ghsa·2023-10-25
CVE-2023-46137 [MEDIUM] CWE-444 twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
### Details
There's an example faulty program:
```python
from twisted.internet import reactor, endpoints
from twisted.web import server
from twisted.web.proxy import ReverseProxyResource
from twisted.web.resource import Resource
class Second(Resou
OSV
twisted.web has disordered HTTP pipeline response
osv·2023-10-25
CVE-2023-46137 [MEDIUM] twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
### Details
There's an example faulty program:
```python
from twisted.internet import reactor, endpoints
from twisted.web import server
from twisted.web.proxy import ReverseProxyResource
from twisted.web.resource import Resource
class Second(Resou
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2024-01-10·CVSS 5.4
CVE-2022-39348 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
It was discovered that Twisted incorrectly escaped host headers in certain
404 responses. A remote attacker could possibly use this issue to perform
HTML and script injection attacks. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2022-39348)
It was discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay responses and manipulate the responses of second
requests. (CVE-2023-46137)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-twisted: disordered HTTP pipeline response in twisted.web
vendor_redhat·2023-10-25·CVSS 5.3
CVE-2023-46137 [MEDIUM] CWE-444 python-twisted: disordered HTTP pipeline response in twisted.web
python-twisted: disordered HTTP pipeline response in twisted.web
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
Package: ansible-tower (Red Hat Ansible Automation Platform 1.2) - Out of support scope
Package: python3x-txaio (Red Hat Ansible Automation Platform 2) - Not affected
Package: python-txaio (Red Hat Ansible Automation Platform 2) -
Microsoft
twisted.web has disordered HTTP pipeline response
vendor_msrc·2023-10-10·CVSS 5.3
CVE-2023-46137 [MEDIUM] CWE-444 twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn
Debian
CVE-2023-46137: twisted - Twisted is an event-based framework for internet applications. Prior to version ...
vendor_debian·2023·CVSS 5.3
CVE-2023-46137 [MEDIUM] CVE-2023-46137: twisted - Twisted is an event-based framework for internet applications. Prior to version ...
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
Scope: local
bookworm: resolved (fixed in 22.4.0-4+deb12u1)
bullseye: resolved (fixed in 20.3.0-7+deb11u2)
forky: resolved (fixed in 23.10.0-1)
sid: resolved (fixed in 23.10.0-1)
trixie: resolved (fixed in 23.10.0-1)
No detection rules found.
No public exploits indexed.
2023-10-25
Published