CVE-2023-46137

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46137

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46137.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-46137

Aliases

Related

Published

2023-10-25T21:15:10Z

Modified

2024-09-11T05:01:36.039102Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

References

Affected packages

Debian:11 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.0-7

20.3.0-7+deb11u1

22.*

22.1.0-1

22.1.0-2

22.2.0-1

22.4.0-1

22.4.0-2

22.4.0-3

22.4.0-4

23.*

23.10.0-1

23.10.0-2

24.*

24.3.0-1

24.3.0-2

24.3.0-3

24.7.0-1

24.7.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

22.*

22.4.0-4

23.*

23.10.0-1

23.10.0-2

24.*

24.3.0-1

24.3.0-2

24.3.0-3

24.7.0-1

24.7.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / twisted

Package

Name: twisted
Purl: pkg:deb/debian/twisted?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

23.10.0-1

Affected versions

22.*

22.4.0-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/twisted/twisted

Affected ranges

Type: GIT
Repo: https://github.com/twisted/twisted
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4be2e50987d58db34683b88637417953250910af

Affected versions

Other

before-black

twisted-16.*

twisted-16.2.0

twisted-16.3.0

twisted-16.4.0

twisted-16.4.1

twisted-16.5.0

twisted-16.6.0

twisted-17.*

twisted-17.1.0

twisted-17.5.0

twisted-17.9.0

twisted-18.*

twisted-18.4.0

twisted-18.7.0

twisted-18.9.0

twisted-19.*

twisted-19.2.0

twisted-19.7.0

twisted-20.*

twisted-20.11.0.dev6

twisted-21.*

twisted-21.2.0

twisted-21.2.0rc1

twisted-21.7.0

twisted-21.7.0rc1

twisted-21.7.0rc2

twisted-21.7.0rc3

twisted-22.*

twisted-22.1.0

twisted-22.1.0rc1

twisted-22.2.0

twisted-22.2.0rc1

twisted-22.4.0

twisted-22.4.0rc1

twisted-22.8.0

twisted-22.8.0rc1