CVE-2023-46137

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Twisted versions prior to 23.10.0rc1

Description The issue is related to the inconsistent interpretation of HTTP requests in the twisted.web component of the Twisted framework. When sending multiple HTTP requests in one TCP packet, twisted.web processes the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launches two requests using HTTP pipeline.

Recommendations For Twisted versions prior to 23.10.0rc1, update to version 23.10.0rc1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of HTTP pipeline for sensitive requests until the issue is resolved. Restrict access to endpoints that can be controlled by an attacker to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

AZL-31788

AZL-35140

BDU:2024-01299

CVE-2023-46137

DLA-3970-1

DSA-5797-1

GHSA-XC8X-VP79-P3WM

MGASA-2025-0054

OESA-2024-1011

OESA-2024-1012

OESA-2024-1013

OESA-2024-1014

OESA-2024-1015

OESA-2024-1047

OPENSUSE-SU-2023_4490-1

OPENSUSE-SU-2023_4607-1

OPENSUSE-SU-2023_4608-1

OPENSUSE-SU-2024:13430-1

PYSEC-2023-224

RHSA-2024:0322

RHSA-2024:1516

RHSA-2024:1518

RHSA-2024:1640

SUSE-SU-2023:4490-1

SUSE-SU-2023:4607-1

SUSE-SU-2023:4608-1

SUSE-SU-2023:4830-1

SUSE-SU-2023_4607-1

SUSE-SU-2023_4830-1

USN-6575-1

Affected Products

Astra Linux

Linuxmint

Red Os

Suse

Twisted

Ubuntu

CVE-2023-46137

Weakness Enumeration

Related Identifiers

Affected Products

References · 59