Mukeran

**Name of the Vulnerable Software and Affected Versions** Twisted versions prior to 23.10.0rc1 **Description** The issue is related to the inconsistent interpretation of HTTP requests in the twisted.web component of the Twisted framework. When sending multiple HTTP requests in one TCP packet, twisted.web processes the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launches two requests using HTTP pipeline. **Recommendations** For Twisted versions prior to 23.10.0rc1, update to version 23.10.0rc1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of HTTP pipeline for sensitive requests until the issue is resolved. Restrict access to endpoints that can be controlled by an attacker to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jetty versions prior to 9.4.52 Jetty versions prior to 10.0.16 Jetty versions prior to 11.0.16 Jetty versions prior to 12.0.1 **Description** Jetty is a Java-based web server and servlet engine. It accepts the `+` character proceeding the content-length value in a HTTP/1 header field, which is more permissive than allowed by the RFC. Other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if Jetty is used in combination with a server that does not close the connection after sending such a 400 response. **Recommendations** Update to version 9.4.52 or later Update to version 10.0.16 or later Update to version 11.0.16 or later Update to version 12.0.1 or later

**Name of the Vulnerable Software and Affected Versions** Gevent versions prior to 23.9.1 Gevent version 23.9.0 **Description** The issue in Gevent is related to insufficient validation of executed requests in the WSGIServer component, allowing a remote attacker to escalate privileges via a crafted script. This can impact the integrity, availability, and confidentiality of protected information. **Recommendations** For Gevent versions prior to 23.9.1, update to version 23.9.1 or later to resolve the issue. For Gevent version 23.9.0, update to version 23.9.1 to resolve the issue. As a temporary workaround, consider restricting access to the WSGIServer component until a patch is available.