high
8.1
CWE
444
Advisory Published
Advisory Published
Updated

CVE-2022-24801: HTTP Request Smuggling in twisted.web

First published: Mon Apr 04 2022(Updated: )

The Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230: 1. The Content-Length header value could have a `+` or `-` prefix. 2. Illegal characters were permitted in chunked extensions, such as the LF (`\n`) character. 3. Chunk lengths, which are expressed in hexadecimal format, could have a prefix of `0x`. 4. HTTP headers were stripped of all leading and trailing ASCII whitespace, rather than only space and HTAB (`\t`). This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. ### Impact You may be affected if: 1. You use Twisted Web's HTTP 1.1 server and/or proxy 2. You also pass requests through a different HTTP server and/or proxy The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. ### Patches The issue has been addressed in Twisted 22.4.0rc1 and later. ### Workarounds Other than upgrading Twisted, you could: * Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them * Filter malformed requests by other means, such as configuration of an upstream proxy ### Credits This issue was initially reported by [Zhang Zeyu](https://github.com/zeyu2001).

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Twistedmatrix Twisted<22.4.0
Debian Debian Linux=9.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Oracle ZFS Storage Appliance Kit=8.8
pip/twisted<22.4.0
22.4.0
Twisted Twisted<22.4.0

Remedy

https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac

Remedy

https://www.oracle.com/security-alerts/cpujul2022.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-24801?

    CVE-2022-24801 is a vulnerability in the Twisted Web HTTP 1.1 server that allows for non-conformant parsing of HTTP request constructs.

  • How does CVE-2022-24801 affect Twisted?

    CVE-2022-24801 affects Twisted versions prior to 22.4.0rc1.

  • What is the severity of CVE-2022-24801?

    CVE-2022-24801 has a severity rating of 8.1 (High).

  • How can I fix CVE-2022-24801?

    To fix CVE-2022-24801, update your Twisted installation to version 22.4.0rc1 or newer.

  • Where can I find more information about CVE-2022-24801?

    More information about CVE-2022-24801 can be found in the Twisted repository at the following links: [GitHub Commit](https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac), [Release Tag](https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1), [Security Advisory](https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203