CVE-2022-24801 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	The Twisted Web HTTP 1.1 server prior to 22.4.0rc1, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230 leading to inconsistent interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2663	python-twisted	21.7.0-4		Medium	Vulnerable	FS#74362

References
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac

Notes
You may be affected if: 1. You use Twisted Web's HTTP 1.1 server and/or proxy 2. You also pass requests through a different HTTP server and/or proxy The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.

Notes

You may be affected if:

1. You use Twisted Web's HTTP 1.1 server and/or proxy
2. You also pass requests through a different HTTP server and/or proxy

The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.

The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.