Candidate: CVE-2022-24801
PublicDate: 2022-04-04 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24801
 https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
 https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1
 https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac (twisted-22.04.0rc1)
 https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac
Description:
 Twisted is an event-based framework for internet applications, supporting
 Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server,
 located in the `twisted.web.http` module, parsed several HTTP request
 constructs more leniently than permitted by RFC 7230. This non-conformant
 parsing can lead to desync if requests pass through multiple HTTP parsers,
 potentially resulting in HTTP request smuggling. Users who may be affected
 use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests
 through a different HTTP server and/or proxy. The Twisted Web client is not
 affected. The HTTP 2.0 server uses a different parser, so it is not
 affected. The issue has been addressed in Twisted 22.4.0rc1. Two
 workarounds are available: Ensure any vulnerabilities in upstream proxies
 have been addressed, such as by upgrading them; or filter malformed
 requests by other means, such as configuration of an upstream proxy.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009030
Priority: medium
Discovered-by:
Assigned-to: rayveldkamp
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_twisted:
upstream_twisted: released (22.4.0)
trusty/esm_twisted: needed
esm-infra/xenial_twisted: needed
trusty_twisted: ignored (out of standard support)
xenial_twisted: ignored (out of standard support)
bionic_twisted: needed
focal_twisted: needed
impish_twisted: needed
jammy_twisted: needed
devel_twisted: pending (22.4.0-1)