Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
History

Mon, 25 Nov 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Twisted
Twisted twisted
CPEs cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:* cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*
Vendors & Products Twistedmatrix
Twistedmatrix twisted
Twisted
Twisted twisted

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-04-04T17:25:10

Updated: 2024-08-03T04:20:50.509Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24801

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-04-04T18:15:07.933

Modified: 2024-11-25T18:12:24.673

Link: CVE-2022-24801

cve-icon Redhat

Severity : Important

Publid Date: 2022-04-04T00:00:00Z

Links: CVE-2022-24801 - Bugzilla