CVE-2024-41671
published 2024-07-29CVE-2024-41671: Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process…
PriorityP344high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
EPSS
0.86%
53.8th percentile
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | twisted | < twisted 22.4.0-4+deb12u1 (bookworm) | twisted 22.4.0-4+deb12u1 (bookworm) |
| msrc | azl3_python-twisted_22.10.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-twisted_22.10.0-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_python-twisted_22.10.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-twisted_22.10.0-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| twisted | twisted | <= 24.3.0 | — |
| twisted | twisted | >= 0 < 20.3.0-7+deb11u2 | 20.3.0-7+deb11u2 |
| twisted | twisted | >= 0 < 22.4.0-4+deb12u1 | 22.4.0-4+deb12u1 |
| twisted | twisted | >= 0 < 24.7.0-1 | 24.7.0-1 |
| twisted | twisted | >= 0 < 24.7.0-1 | 24.7.0-1 |
| twisted | twisted | >= 0 < 24.7.0rc1 | 24.7.0rc1 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.5 | 18.9.0-11ubuntu0.20.04.5 |
| twisted | twisted | >= 0 < 18.9.0-11ubuntu0.20.04.4 | 18.9.0-11ubuntu0.20.04.4 |
| twisted | twisted | >= 0 < 22.1.0-2ubuntu2.6 | 22.1.0-2ubuntu2.6 |
| twisted | twisted | >= 0 < 22.1.0-2ubuntu2.5 | 22.1.0-2ubuntu2.5 |
| twisted | twisted | >= 0 < 24.3.0-1ubuntu0.1 | 24.3.0-1ubuntu0.1 |
| twisted | twisted | >= 0 < 13.2.0-1ubuntu1.2+esm3 | 13.2.0-1ubuntu1.2+esm3 |
| twisted | twisted | >= 0 < 16.0.0-1ubuntu0.4+esm2 | 16.0.0-1ubuntu0.4+esm2 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.3+esm2 | 17.9.0-2ubuntu0.3+esm2 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.3+esm1 | 17.9.0-2ubuntu0.3+esm1 |
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
osv8.3HIGH
vendor_debian8.3HIGH
vendor_msrc8.3HIGH
vendor_ubuntu8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
twisted vulnerability
osv·2024-11-26·CVSS 8.3
CVE-2024-41671 [HIGH] twisted vulnerability
twisted vulnerability
USN-6988-1 fixed CVE-2024-41671 in Twisted. The USN incorrectly stated that
previous releases were unaffected. This update provides the equivalent fix
for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS.
Original advisory details:
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
OSV
twisted vulnerabilities
osv·2024-09-04·CVSS 8.3
CVE-2024-41671 [HIGH] twisted vulnerabilities
twisted vulnerabilities
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
It was discovered that Twisted did not properly sanitize certain input.
An attacker could use this vulnerability to possibly execute an HTML
injection leading to a cross-site scripting (XSS) attack.
(CVE-2024-41810)
OSV
CVE-2024-41671: Twisted is an event-based framework for internet applications, supporting Python 3
osv·2024-07-29·CVSS 8.3
CVE-2024-41671 [HIGH] CVE-2024-41671: Twisted is an event-based framework for internet applications, supporting Python 3
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.
GHSA
twisted.web has disordered HTTP pipeline response
ghsa·2024-07-29
CVE-2024-41671 [MEDIUM] CWE-444 twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
### Summary
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
### PoC
0. Start a fresh Debian container:
```sh
docker run --workdir /repro --rm -it debian:bookworm-slim
```
1. Install twisted and its dependencies:
```sh
apt -y update && apt -y install ncat git python3 python3-pip \
&& git clone --recurse-submodules https://github.com/twisted/twisted \
&& cd twisted \
&& pip3 install --break-system-packages .
```
2. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
```python
from twisted.web import server, resource
from twisted.internet import reactor
class TheResource(resource.Resource):
isLeaf = Tr
OSV
twisted.web has disordered HTTP pipeline response
osv·2024-07-29
CVE-2024-41671 [MEDIUM] twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
### Summary
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
### PoC
0. Start a fresh Debian container:
```sh
docker run --workdir /repro --rm -it debian:bookworm-slim
```
1. Install twisted and its dependencies:
```sh
apt -y update && apt -y install ncat git python3 python3-pip \
&& git clone --recurse-submodules https://github.com/twisted/twisted \
&& cd twisted \
&& pip3 install --break-system-packages .
```
2. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
```python
from twisted.web import server, resource
from twisted.internet import reactor
class TheResource(resource.Resource):
isLeaf = Tr
Ubuntu
Twisted vulnerability
vendor_ubuntu·2024-11-26·CVSS 8.3
CVE-2024-41671 [HIGH] Twisted vulnerability
Title: Twisted vulnerability
Summary: Twisted could allow unintended access to information over the network.
USN-6988-1 fixed CVE-2024-41671 in Twisted. The USN incorrectly stated that
previous releases were unaffected. This update provides the equivalent fix
for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS.
Original advisory details:
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2024-09-04·CVSS 8.3
CVE-2024-41810 [HIGH] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
It was discovered that Twisted did not properly sanitize certain input.
An attacker could use this vulnerability to possibly execute an HTML
injection leading to a cross-site scripting (XSS) attack.
(CVE-2024-41810)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
twisted.web has disordered HTTP pipeline response
vendor_msrc·2024-07-09·CVSS 8.3
CVE-2024-41671 [HIGH] CWE-444 twisted.web has disordered HTTP pipeline response
twisted.web has disordered HTTP pipeline response
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn
Debian
CVE-2024-41671: twisted - Twisted is an event-based framework for internet applications, supporting Python...
vendor_debian·2024·CVSS 8.3
CVE-2024-41671 [HIGH] CVE-2024-41671: twisted - Twisted is an event-based framework for internet applications, supporting Python...
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.
Scope: local
bookworm: resolved (fixed in 22.4.0-4+deb12u1)
bullseye: resolved (fixed in 20.3.0-7+deb11u2)
forky: resolved (fixed in 24.7.0-1)
sid: resolved (fixed in 24.7.0-1)
trixie: resolved (fixed in 24.7.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abchttps://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abchttps://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7https://lists.debian.org/debian-lts-announce/2024/11/msg00028.htmlhttps://www.vicarius.io/vsociety/posts/disordered-http-pipeline-in-twistedweb-cve-2024-4167
2024-07-29
Published