PT-2023-8632 · Twisted+5 · Twisted+5

Mukeran

·

Publicado

2023-10-25

·

Atualizado

2025-09-05

·

CVE-2023-46137

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Twisted versions prior to 23.10.0rc1
Description The issue is related to the inconsistent interpretation of HTTP requests in the twisted.web component of the Twisted framework. When sending multiple HTTP requests in one TCP packet, twisted.web processes the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launches two requests using HTTP pipeline.
Recommendations For Twisted versions prior to 23.10.0rc1, update to version 23.10.0rc1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of HTTP pipeline for sensitive requests until the issue is resolved. Restrict access to endpoints that can be controlled by an attacker to minimize the risk of exploitation.

Exploit

Correção

HTTP Request/Response Smuggling

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-444

Identificadores relacionados

AZL-31788
AZL-35140
BDU:2024-01299
CVE-2023-46137
DLA-3970-1
DSA-5797-1
GHSA-XC8X-VP79-P3WM
MGASA-2025-0054
OESA-2024-1011
OESA-2024-1012
OESA-2024-1013
OESA-2024-1014
OESA-2024-1015
OESA-2024-1047
OPENSUSE-SU-2023_4490-1
OPENSUSE-SU-2023_4607-1
OPENSUSE-SU-2023_4608-1
OPENSUSE-SU-2024:13430-1
PYSEC-2023-224
RHSA-2024:0322
RHSA-2024:1516
RHSA-2024:1518
RHSA-2024:1640
SUSE-SU-2023:4490-1
SUSE-SU-2023:4607-1
SUSE-SU-2023:4608-1
SUSE-SU-2023:4830-1
SUSE-SU-2023_4607-1
SUSE-SU-2023_4830-1
USN-6575-1

Produtos afetados

Astra Linux
Linuxmint
Red Os
Suse
Twisted
Ubuntu