CVE-2022-24801

HTTP Request Smuggling in twisted.web

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

Twisted es un marco de trabajo basado en eventos para aplicaciones de Internet, que soporta Python versión 3.6+. versiones hasta 22.4.0rc1, el servidor Twisted Web HTTP 1.1, ubicado en el módulo "twisted.web.http", analizaba varias construcciones de peticiones HTTP de forma más indulgente de lo permitido por el RFC 7230. Este análisis no conforme puede conllevar a una desincronización si las peticiones pasan por varios analizadores HTTP, resultando potencialmente en un contrabando de peticiones HTTP. Los usuarios que pueden verse afectados usan el servidor y/o proxy HTTP versión 1.1 de Twisted Web y también pasan peticiones mediante un servidor y/o proxy HTTP diferente. El cliente de Twisted Web no está afectado. El servidor HTTP versión 2.0 usa un parser diferente, por lo que no está afectado. El problema ha sido abordado en Twisted 22.4.0rc1. Se presentan dos medidas de mitigación disponibles: Asegurarse de que ha sido abordada cualquier vulnerabilidad en los proxies de subida, por ejemplo, actualizándolos; o filtrar las peticiones malformadas por otros medios, como la configuración de un proxy de subida

A flaw was found in python-twisted. This vulnerability occurs due to the parsing of illegal constructs in the twisted.web.http module. The illegal constructs include '+/-' in the Content-Length header, '
and \t' etc. Non-conformant parsing leads to a desync if requests pass through multiple HTTP parsers. This flaw allows a remote attacker to perform an HTTP request smuggling attack.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-04 CVE Published
2024-08-03 CVE Updated
2024-11-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (9)

URL	Tag	Source
https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1	Release Notes
https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00003.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U6KYDTOLPICAVSR34G2WRYLFBD2YW5K	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLKHA6WREIVAMBQD7KKWYHPHGGNKMAG6	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-24801	2022-06-07
https://bugzilla.redhat.com/show_bug.cgi?id=2073114	2022-06-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Twistedmatrix Search vendor "Twistedmatrix"		Twisted Search vendor "Twistedmatrix" for product "Twisted"				< 22.4.0 Search vendor "Twistedmatrix" for product "Twisted" and version " < 22.4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Oracle Search vendor "Oracle"		Zfs Storage Appliance Kit Search vendor "Oracle" for product "Zfs Storage Appliance Kit"				8.8 Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"		-		Affected