twisted@18.4.0rc1 vulnerabilities

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. Information disclosure across sessions may also be possible for reverse proxy servers using pooled connections.

Upgrade Twisted to version 24.7.0rc1 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the victim is using Firefox, due to an unescaped URL in the redirectTo() function. A site which is vulnerable to open redirects by other means can be can be made to execute scripts injected into a redirect URL.

Upgrade Twisted to version 24.7.0rc1 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request.

Upgrade Twisted to version 23.10.0rc1 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

Upgrade Twisted to version 22.10.0rc1 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques:

1. Sending Requests with multiple Content-Length headers
2. Sending Requests with a Content-Length header and a Transfer-Encoding header
3. Sending Requests whose Transfer-Encoding header has a value other than chunked and identity

Upgrade Twisted to version 20.3.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

Upgrade Twisted to version 22.4.0rc1 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent which can cause cookies and authorization headers exposure when following cross-origin redirects.

Upgrade Twisted to version 22.1.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection. twisted.web.client.Request and twisted.web.client.HTTPClient are both vulnerable to header injection attacks due to not properly sanitising linear whitespace ('\r', '\n', and '\r\n').

Upgrade Twisted to version 19.2.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Upgrade Twisted to version 20.3.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Upgrade Twisted to version 20.3.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) via the words.protocols.jabber.xmlstream. The XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

Upgrade Twisted to version 19.7.0 or higher.

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Improper Input Validation due to the package not validating or sanitizing URIs or HTTP methods, this allows an attacker to inject invalid characters such as CRLF.

Upgrade Twisted to version 19.2.1 or higher.