GHSA-p5xh-vx83-mxcj

Source

https://github.com/advisories/GHSA-p5xh-vx83-mxcj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-p5xh-vx83-mxcj/GHSA-p5xh-vx83-mxcj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p5xh-vx83-mxcj

Aliases

Published

2020-03-31T15:40:12Z

Modified

2024-02-22T05:23:01.512757Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

HTTP Request Smuggling in Twisted

Details

In Twisted Web through 20.3.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

References

Affected packages

PyPI / twisted

Package

Name: twisted; View open source insights on deps.dev
Purl: pkg:pypi/twisted

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.3.0

Affected versions

1.*

1.0.1

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.2.0

2.*

2.1.0

2.4.0

2.5.0

8.*

8.0.0

8.0.1

8.1.0

8.2.0

9.*

9.0.0

10.*

10.0.0

10.1.0

10.2.0

11.*

11.0.0

11.1.0

12.*

12.0.0

12.1.0

12.2.0

12.3.0

13.*

13.0.0

13.1.0

13.2.0

14.*

14.0.0

14.0.1

14.0.2

15.*

15.0.0

15.1.0

15.2.0

15.2.1

15.3.0

15.4.0

15.5.0

16.*

16.0.0

16.1.0

16.1.1

16.2.0

16.3.0

16.3.1

16.3.2

16.4.0

16.4.1

16.5.0rc1

16.5.0rc2

16.5.0

16.6.0rc1

16.6.0

16.7.0rc1

16.7.0rc2

17.*

17.1.0rc1

17.1.0

17.5.0

17.9.0rc1

17.9.0

18.*

18.4.0rc1

18.4.0

18.7.0rc1

18.7.0rc2

18.7.0

18.9.0rc1

18.9.0

19.*

19.2.0rc1

19.2.0rc2

19.2.0

19.2.1

19.7.0rc1

19.7.0

19.10.0rc1

19.10.0

20.*

20.3.0rc1

Ecosystem specific

{
    "affected_functions": [
        "twisted.web.http.HTTPChannel",
        "twisted.web.http.HTTPChannel.headerReceived"
    ]
}