CVE-2022-24801 log

Severity Medium
Remote Yes
Type Access restriction bypass
The Twisted Web HTTP 1.1 server prior to 22.4.0rc1, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230 leading to inconsistent interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web.
Group Package Affected Fixed Severity Status Ticket
AVG-2663 python-twisted 21.7.0-4 Medium Vulnerable FS#74362
You may be affected if:

1. You use Twisted Web's HTTP 1.1 server and/or proxy
2. You also pass requests through a different HTTP server and/or proxy

The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.

The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.