Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8r99-h8j2-rw64: Twisted vulnerable to HTTP Request Smuggling Attacks

Impact

Twisted Web is vulnerable to request smuggling attacks:

  1. “When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body as a pipelined request. According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.” (Jake Miller of Bishop Fox Security)
  2. " When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length." (Jake Miller of Bishop Fox Security)
  3. ~"Twisted should not allow BWS between the filed-name and colon." (ZeddYu Lu)~ closed in 9646
  4. “Two CL header with different values is also not allowed.” (ZeddYu Lu)
  5. “Only accept identity and chunked Transport-Encoding.” (ZeddYu Lu)

Patches

https://github.com/twisted/twisted/commit/20c787a14a09e7cbd5dfd8df08ceff00d1fcc081 https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281

Workarounds

N/A

References

https://portswigger.net/web-security/request-smuggling

ghsa
#web#git

Impact

Twisted Web is vulnerable to request smuggling attacks:

  1. “When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body as a pipelined request. According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing value, then the server must reject the message with a 400 response.” (Jake Miller of Bishop Fox Security)
  2. " When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted by Twisted Web as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding overrides the content-length." (Jake Miller of Bishop Fox Security)
  3. “Twisted should not allow BWS between the filed-name and colon.” (ZeddYu Lu) closed in 9646
  4. “Two CL header with different values is also not allowed.” (ZeddYu Lu)
  5. “Only accept identity and chunked Transport-Encoding.” (ZeddYu Lu)

Patches

twisted/twisted@20c787a
twisted/twisted@4a7d22e

Workarounds

N/A

References

https://portswigger.net/web-security/request-smuggling

References

  • GHSA-8r99-h8j2-rw64
  • twisted/twisted@20c787a
  • twisted/twisted@4a7d22e

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access