AZL-31788

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31788.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-31788

Upstream

CVE-2023-46137

Published

2023-10-25T21:15:10Z

Modified

2026-04-01T05:10:47.705450Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CVE-2023-46137 affecting package python-twisted for versions less than 22.10.0-4

Details

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-46137

Affected packages

Azure Linux:2 / python-twisted

Package

Name: python-twisted
Purl: pkg:rpm/azure-linux/python-twisted

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.10.0-4

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31788.json"