Fluid Attacks Database

Description

Twisted CRLF Injection In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	twisted	>=0 <19.2.1	19.2.1
debian 13	twisted	>=0 <18.9.0-7	18.9.0-7
debian 11	twisted	>=0 <18.9.0-7	18.9.0-7
debian 12	twisted	>=0 <18.9.0-7	18.9.0-7
debian 14	twisted	>=0 <18.9.0-7	18.9.0-7
rpm rhel7	python-twisted-web	<0:12.1.0-6.el7	0:12.1.0-6.el7
rpm rhel6	python-twisted-web	-	-

Aliases

1. CVE-2019-123872. NVD-2019-123873. OSV-2019-123874. OSV-DEBIAN-2019-123875. GHSA-6cc5-2vg4-cc7m6. GCVE-2019-123877. SECURITY-TRACKER-CVE-2019-12387

References

1. https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e22. https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2019-128.yaml3. https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html4. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N5. https://lists.fedoraproject.org/archives/list/[email protected]/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N6. https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html7. https://usn.ubuntu.com/4308-18. https://usn.ubuntu.com/4308-29. https://www.oracle.com/security-alerts/cpuapr2020.html10. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html11. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.