| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Access restriction bypass |
|
| Description |
| + |
The Twisted Web HTTP 1.1 server prior to 22.4.0rc1, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230 leading to inconsistent interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web. |
|
| References |
| + |
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq |
| + |
https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac |
|
| Notes |
| + |
You may be affected if: |
| + |
|
| + |
1. You use Twisted Web's HTTP 1.1 server and/or proxy |
| + |
2. You also pass requests through a different HTTP server and/or proxy |
| + |
|
| + |
The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control. |
| + |
|
| + |
The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. |
|