CVE-2023-46137

Publication date 25 October 2023

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
twisted	24.04 LTS noble	Fixed 22.4.0-4ubuntu1
	23.10 mantic	Fixed 22.4.0-4ubuntu0.23.10.1
	23.04 lunar	Fixed 22.4.0-4ubuntu0.23.04.1
	22.04 LTS jammy	Fixed 22.1.0-2ubuntu2.4
	20.04 LTS focal	Fixed 18.9.0-11ubuntu0.20.04.3
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
twisted	Upstream: https://github.com/twisted/twisted/pull/11979 Upstream: d87aaba Upstream: 7f5446a Upstream: 7de50d6 Upstream: 36f8ff3 Upstream: 7316581 Upstream: d6b875b Upstream: 4f6c862 Upstream: 70c46ba Upstream: 430c083 Upstream: 159a6aa Upstream: 14bd26f Upstream: 88be54d

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-6575-1
Twisted vulnerabilities
10 January 2024