cbcvebase.
CVE-2023-46137
published 2023-10-25

CVE-2023-46137: Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.77%
50.9th percentile
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiantwisted< twisted 22.4.0-4+deb12u1 (bookworm)twisted 22.4.0-4+deb12u1 (bookworm)
msrcazl3_python-twisted_22.10.0-4_on_azure_linux_3.0
msrccbl2_python-twisted_22.10.0-4_on_cbl_mariner_2.0
twistedtwisted<= 22.8.0
twistedtwisted
twistedtwisted>= 0 < 20.3.0-7+deb11u220.3.0-7+deb11u2
twistedtwisted>= 0 < 22.4.0-4+deb12u122.4.0-4+deb12u1
twistedtwisted>= 0 < 23.10.0-123.10.0-1
twistedtwisted>= 0 < 23.10.0-123.10.0-1
twistedtwisted>= 0 < 23.10.0rc123.10.0rc1
twistedtwisted>= 0 < 18.9.0-11ubuntu0.20.04.318.9.0-11ubuntu0.20.04.3
twistedtwisted>= 0 < 22.1.0-2ubuntu2.422.1.0-2ubuntu2.4

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.4MEDIUM
vendor_ubuntu5.4MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.