CVE-2023-46137: twisted.web has disordered HTTP pipeline response
First published: Wed Oct 25 2023(Updated: )
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Twistedmatrix Twisted | <=22.8.0 | |
| pip/twisted | <23.10.0rc1 | 23.10.0rc1 |
| debian/twisted | <=18.9.0-3+deb10u1<=18.9.0-3+deb10u2<=20.3.0-7+deb11u1<=22.4.0-4 | 23.10.0-2 |
| ubuntu/twisted | <18.9.0-11ubuntu0.20.04.3 | 18.9.0-11ubuntu0.20.04.3 |
| ubuntu/twisted | <22.1.0-2ubuntu2.4 | 22.1.0-2ubuntu2.4 |
| ubuntu/twisted | <22.4.0-4ubuntu0.23.04.1 | 22.4.0-4ubuntu0.23.04.1 |
| ubuntu/twisted | <22.4.0-4ubuntu0.23.10.1 | 22.4.0-4ubuntu0.23.10.1 |
| redhat/twisted | <23.10.0 | 23.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
- https://nvd.nist.gov/vuln/detail/CVE-2023-46137
- https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2023-224.yaml
- https://github.com/advisories/GHSA-xc8x-vp79-p3wm (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-46137
- https://security-tracker.debian.org/tracker/CVE-2023-46137
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46137
- https://ubuntu.com/security/notices/USN-6575-1
- https://github.com/twisted/twisted/pull/11979
- https://github.com/twisted/twisted/commit/d87aababab668190d0b4c8e6c3c679d297d1efc2
- https://github.com/twisted/twisted/commit/7f5446a379dea065dff28be5957aa59d00ab7f7e
- https://github.com/twisted/twisted/commit/7de50d6b704b774d7205645512517e428b7039ce
- https://github.com/twisted/twisted/commit/36f8ff33e2385c35845b2745b8a89df1f06222f3
- https://github.com/twisted/twisted/commit/731658108bbde2349a5ffc4550e602511b81167a
- https://github.com/twisted/twisted/commit/d6b875b58701495725967b2c58a2dd528c429762
- https://github.com/twisted/twisted/commit/4f6c8625a6354aa711e166b64dda15f8129b62d0
- https://github.com/twisted/twisted/commit/70c46ba53c4e80570f0e61a4e7dda71f34c313cc
- https://github.com/twisted/twisted/commit/430c083f6ce1544f308a3d4ccfbb7f6db56f8492
- https://github.com/twisted/twisted/commit/159a6aa3a7f71dc4d96e4bf6c984793490b6734c
- https://github.com/twisted/twisted/commit/14bd26f4c68bb2b82533f68b921f596595153170
- https://github.com/twisted/twisted/commit/88be54dd0706457fe4db886ccc820ce0cdec00b1
- https://ubuntu.com/security/CVE-2023-46137
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252377
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2252378
- https://access.redhat.com/errata/RHSA-2024:0322
- https://access.redhat.com/errata/RHSA-2024:1516
- https://access.redhat.com/errata/RHSA-2024:1518
- https://access.redhat.com/errata/RHSA-2024:1640
- https://bugzilla.redhat.com/show_bug.cgi?id=2246264
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-46137.
What is the severity of CVE-2023-46137?
The severity of CVE-2023-46137 is medium with a CVSS score of 5.3.
What software is affected by CVE-2023-46137?
The affected software is the twisted package with version up to and excluding 23.10.0rc1.
How does CVE-2023-46137 manifest?
CVE-2023-46137 manifests when multiple HTTP requests are sent in one TCP packet, causing twisted.web to process the requests asynchronously without guaranteeing the response order.
Are there any references for CVE-2023-46137?
Yes, you can find more information about CVE-2023-46137 in the following references: [GitHub Advisory](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm), [GitHub Advisories](https://github.com/advisories/GHSA-xc8x-vp79-p3wm).
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-xc8x-vp79-p3wm
- alias/CVE-2023-46137
- collector/github-advisory
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/remedy
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- agent/event
- agent/softwarecombine
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/twistedmatrix
- canonical/twistedmatrix twisted
- version/twistedmatrix twisted/22.8.0
- package-manager/pip
- package-manager/debian
- package-manager/ubuntu
- package-manager/redhat