CVE-2022-24801: HTTP Request Smuggling in twisted.web
First published: Mon Apr 04 2022(Updated: )
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Twistedmatrix Twisted | <22.4.0 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Oracle ZFS Storage Appliance Kit | =8.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac
- https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1
- https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
- https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K/
Frequently Asked Questions
What is CVE-2022-24801?
CVE-2022-24801 is a vulnerability in the Twisted Web HTTP 1.1 server that allows for non-conformant parsing of HTTP request constructs.
How does CVE-2022-24801 affect Twisted?
CVE-2022-24801 affects Twisted versions prior to 22.4.0rc1.
What is the severity of CVE-2022-24801?
CVE-2022-24801 has a severity rating of 8.1 (High).
How can I fix CVE-2022-24801?
To fix CVE-2022-24801, update your Twisted installation to version 22.4.0rc1 or newer.
Where can I find more information about CVE-2022-24801?
More information about CVE-2022-24801 can be found in the Twisted repository at the following links: [GitHub Commit](https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac), [Release Tag](https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1), [Security Advisory](https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq).
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/twistedmatrix
- canonical/twistedmatrix twisted
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8