Description
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
References (9)
Core 9
Core References
Exploit, Release Notes, Vendor Advisory x_refsource_confirm
https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
Exploit, Release Notes, Vendor Advisory x_refsource_confirm
https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4308-2/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4308-1/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Scores
CVSS v3
6.1
EPSS
0.0052
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (9)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.10
fedoraproject/fedora
29
oracle/solaris
11
oracle/zfs_storage_appliance_kit
8.8
pypi/twisted
0 - 19.2.1PyPI
twisted/twisted
< 19.2.1
Published
Jun 10, 2019
Tracked Since
Feb 18, 2026