Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-46137

Published: 25 October 2023

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
twisted
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal
Released (18.9.0-11ubuntu0.20.04.3)
jammy
Released (22.1.0-2ubuntu2.4)
lunar
Released (22.4.0-4ubuntu0.23.04.1)
mantic
Released (22.4.0-4ubuntu0.23.10.1)
noble
Released (22.4.0-4ubuntu1)
trusty Needs triage

upstream Needs triage

xenial Needs triage

Patches:
upstream: https://github.com/twisted/twisted/pull/11979
upstream: https://github.com/twisted/twisted/commit/d87aababab668190d0b4c8e6c3c679d297d1efc2
upstream: https://github.com/twisted/twisted/commit/7f5446a379dea065dff28be5957aa59d00ab7f7e
upstream: https://github.com/twisted/twisted/commit/7de50d6b704b774d7205645512517e428b7039ce
upstream: https://github.com/twisted/twisted/commit/36f8ff33e2385c35845b2745b8a89df1f06222f3
upstream: https://github.com/twisted/twisted/commit/731658108bbde2349a5ffc4550e602511b81167a
upstream: https://github.com/twisted/twisted/commit/d6b875b58701495725967b2c58a2dd528c429762
upstream: https://github.com/twisted/twisted/commit/4f6c8625a6354aa711e166b64dda15f8129b62d0
upstream: https://github.com/twisted/twisted/commit/70c46ba53c4e80570f0e61a4e7dda71f34c313cc
upstream: https://github.com/twisted/twisted/commit/430c083f6ce1544f308a3d4ccfbb7f6db56f8492
upstream: https://github.com/twisted/twisted/commit/159a6aa3a7f71dc4d96e4bf6c984793490b6734c
upstream: https://github.com/twisted/twisted/commit/14bd26f4c68bb2b82533f68b921f596595153170
upstream: https://github.com/twisted/twisted/commit/88be54dd0706457fe4db886ccc820ce0cdec00b1

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading