twisted 19.10.0rc1 vulnerabilities

Known vulnerabilities in the twisted package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M HTTP Response Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. Information disclosure across sessions may also be possible for reverse proxy servers using pooled connections. How to fix HTTP Response Smuggling? Upgrade `Twisted` to version 24.7.0rc1 or higher.	[16.3.0,24.7.0rc1)
M Cross-site Scripting (XSS) Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the victim is using Firefox, due to an unescaped URL in the `redirectTo()` function. A site which is vulnerable to open redirects by other means can be can be made to execute scripts injected into a redirect URL. How to fix Cross-site Scripting (XSS)? Upgrade `Twisted` to version 24.7.0rc1 or higher.	[,24.7.0rc1)
M HTTP Response Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. How to fix HTTP Response Smuggling? Upgrade `Twisted` to version 23.10.0rc1 or higher.	[16.3.0,23.10.0rc1)
M HTTP Header Injection Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Header Injection via the `NameVirtualHost` function. When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. How to fix HTTP Header Injection? Upgrade `Twisted` to version 22.10.0rc1 or higher.	[,22.10.0rc1)
M HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques: Sending Requests with multiple `Content-Length` headers Sending Requests with a `Content-Length` header and a `Transfer-Encoding` header Sending Requests whose `Transfer-Encoding` header has a value other than `chunked` and `identity` How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)
M HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling in the `twisted.web.http` module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy. How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 22.4.0rc1 or higher.	[,22.4.0rc1)
M Information Exposure Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in `twisted.web.client.RedirectAgent` and `twisted.web.client.BrowserLikeRedirectAgent` which can cause cookies and authorization headers exposure when following cross-origin redirects. How to fix Information Exposure? Upgrade `Twisted` to version 22.1.0 or higher.	[11.1.0,22.1.0)
H HTTP Request Smuggling Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two `content-length` headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. How to fix HTTP Request Smuggling? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)
H HTTP Request Splitting Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a `content-length` and a chunked encoding header, the `content-length` took precedence and the remainder of the request body was interpreted as a pipelined request. How to fix HTTP Request Splitting? Upgrade `Twisted` to version 20.3.0 or higher.	[,20.3.0)

Vulnerability

Vulnerable Version

HTTP Response Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Response Smuggling. When sending multiple HTTP/1.1 requests in one TCP segment, twisted.web does not guarantee the response order. An attacker in control of an endpoint can manipulate a different user's second response to a pipelined chunked request by delaying the response to their own request. Information disclosure across sessions may also be possible for reverse proxy servers using pooled connections.

How to fix HTTP Response Smuggling?

Upgrade Twisted to version 24.7.0rc1 or higher.

[16.3.0,24.7.0rc1)

Cross-site Scripting (XSS)

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the victim is using Firefox, due to an unescaped URL in the redirectTo() function. A site which is vulnerable to open redirects by other means can be can be made to execute scripts injected into a redirect URL.

How to fix Cross-site Scripting (XSS)?

Upgrade Twisted to version 24.7.0rc1 or higher.

[,24.7.0rc1)

HTTP Response Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

How to fix HTTP Response Smuggling?

Upgrade Twisted to version 23.10.0rc1 or higher.

[16.3.0,23.10.0rc1)

HTTP Header Injection

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Header Injection via the NameVirtualHost function. When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

How to fix HTTP Header Injection?

Upgrade Twisted to version 22.10.0rc1 or higher.

[,22.10.0rc1)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to missing checks when requests with modified headers are sent. An attacker could exploit this vulnerability by using the following request smuggling techniques:

Sending Requests with multiple Content-Length headers
Sending Requests with a Content-Length header and a Transfer-Encoding header
Sending Requests whose Transfer-Encoding header has a value other than chunked and identity

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the twisted.web.http module which makes non-conformant parsing and can lead to desync if requests pass through multiple HTTP parsers. Note: To be vulnerable, applications need to both use Twisted Web's HTTP server/proxy, along with some other HTTP server/proxy.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 22.4.0rc1 or higher.

[,22.4.0rc1)

Information Exposure

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive data in twisted.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent which can cause cookies and authorization headers exposure when following cross-origin redirects.

How to fix Information Exposure?

Upgrade Twisted to version 22.1.0 or higher.

[11.1.0,22.1.0)

HTTP Request Smuggling

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

How to fix HTTP Request Smuggling?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

HTTP Request Splitting

Twisted is an event-based network programming and multi-protocol integration framework.

Affected versions of this package are vulnerable to HTTP Request Splitting. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

How to fix HTTP Request Splitting?

Upgrade Twisted to version 20.3.0 or higher.

[,20.3.0)

twisted@19.10.0rc1 vulnerabilities

An asynchronous networking framework written in Python

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?