GHSA-6cc5-2vg4-cc7m

Suggest an improvement
Source
https://github.com/advisories/GHSA-6cc5-2vg4-cc7m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-6cc5-2vg4-cc7m/GHSA-6cc5-2vg4-cc7m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6cc5-2vg4-cc7m
Aliases
Published
2019-06-10T18:05:06Z
Modified
2024-11-25T18:46:25.183917Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Twisted CRLF Injection
Details

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Database specific
{
    "nvd_published_at": "2019-06-10T12:29:00Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-93"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-10T18:04:12Z"
}
References

Affected packages

PyPI / twisted

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
19.2.1

Affected versions

1.*

1.0.1
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.2.0

2.*

2.1.0
2.4.0
2.5.0

8.*

8.0.0
8.0.1
8.1.0
8.2.0

9.*

9.0.0

10.*

10.0.0
10.1.0
10.2.0

11.*

11.0.0
11.1.0

12.*

12.0.0
12.1.0
12.2.0
12.3.0

13.*

13.0.0
13.1.0
13.2.0

14.*

14.0.0
14.0.1
14.0.2

15.*

15.0.0
15.1.0
15.2.0
15.2.1
15.3.0
15.4.0
15.5.0

16.*

16.0.0
16.1.0
16.1.1
16.2.0
16.3.0
16.3.1
16.3.2
16.4.0
16.4.1
16.5.0rc1
16.5.0rc2
16.5.0
16.6.0rc1
16.6.0
16.7.0rc1
16.7.0rc2

17.*

17.1.0rc1
17.1.0
17.5.0
17.9.0rc1
17.9.0

18.*

18.4.0rc1
18.4.0
18.7.0rc1
18.7.0rc2
18.7.0
18.9.0rc1
18.9.0

19.*

19.2.0rc1
19.2.0rc2
19.2.0