| Package | twisted |
|---|---|
| Version | 18.9.0-3+deb10u3 (buster) |
| Related CVEs | CVE-2023-46137 CVE-2024-41671 CVE-2024-41810 |
Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.
-
CVE-2023-46137
When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.
-
CVE-2024-41671
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
-
CVE-2024-41810
The
twisted.web.util.redirectTofunction contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
For Debian 10 buster, these problems have been fixed in version 18.9.0-3+deb10u3.
We recommend that you upgrade your twisted packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.