CVE-2022-24801 - log back

CVE-2022-24801 edited at 05 Apr 2022 22:36:43
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ The Twisted Web HTTP 1.1 server prior to 22.4.0rc1, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230 leading to inconsistent interpretation of HTTP Requests ('HTTP Request Smuggling') in twisted.web.
References
+ https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
+ https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac
Notes
+ You may be affected if:
+
+ 1. You use Twisted Web's HTTP 1.1 server and/or proxy
+ 2. You also pass requests through a different HTTP server and/or proxy
+
+ The specifics of the other HTTP parser matter. The original report notes that some versions of Apache Traffic Server and HAProxy have been vulnerable in the past. HTTP request smuggling may be a serious concern if you use a proxy to perform request validation or access control.
+
+ The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected.
CVE-2022-24801 created at 05 Apr 2022 22:25:59