CVE-2023-46137

CWE-444HTTP Request Smuggling10 documents8 sources
Severity
5.3MEDIUM
EPSS
0.7%
top 28.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Twisted Twisted
Timeline
PublishedOct 25
Latest updateJan 10

Description

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

PyPITwisted< 23.10.0rc1
PyPItwisted< 23.10.0rc1
Debiantwisted< 20.3.0-7+deb11u2+3
NVDtwisted/twisted22.8.0
CVEListV5twisted/twisted23.10.0rc1

🔴Vulnerability Details

5
OSV
twisted vulnerabilities2024-01-10
OSV
CVE-2023-46137: Twisted is an event-based framework for internet applications2023-10-25
GHSA
twisted.web has disordered HTTP pipeline response2023-10-25
OSV
twisted.web has disordered HTTP pipeline response2023-10-25
CVEList
twisted.web has disordered HTTP pipeline response2023-10-25

📋Vendor Advisories

4
Ubuntu
Twisted vulnerabilities2024-01-10
Red Hat
python-twisted: disordered HTTP pipeline response in twisted.web2023-10-25
Microsoft
twisted.web has disordered HTTP pipeline response2023-10-10
Debian
CVE-2023-46137: twisted - Twisted is an event-based framework for internet applications. Prior to version ...2023
CVE-2023-46137 (MEDIUM CVSS 5.3) | Twisted is an event-based framework | cvebase.io