CVE-2023-46137

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46137

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46137.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-46137

Aliases

Downstream

DEBIAN-CVE-2023-46137

DLA-3970-1

DSA-5797-1

OESA-2024-1011

OESA-2024-1012

OESA-2024-1013

OESA-2024-1014

OESA-2024-1015

OESA-2024-1047

RHSA-2024:0322

RHSA-2024:1516

RHSA-2024:1518

RHSA-2024:1640

SUSE-SU-2023:4490-1

SUSE-SU-2023:4607-1

SUSE-SU-2023:4608-1

SUSE-SU-2023:4830-1

UBUNTU-CVE-2023-46137

USN-6575-1

openSUSE-SU-2024:13430-1

Related

Published

2023-10-25T20:56:27Z

Modified

2025-10-20T19:34:24Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

twisted.web has disordered HTTP pipeline response

Details

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

Database specific

{
    "cwe_ids": [
        "CWE-444"
    ]
}

References

https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Affected packages

Git /

Affected ranges