Bug 2246264 (CVE-2023-46137)

Summary: CVE-2023-46137 python-twisted: disordered HTTP pipeline response in twisted.web
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, davidn, dfreiber, eglynn, epacific, jburrell, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, kshier, lhh, mabashia, mburns, mgarciac, osapryki, pgrist, rhos-maint, rogbas, simaishi, slinaber, smcdonal, stcannon, teagle, tfister, tvignaud, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: twisted 23.10.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252377, 2246404, 2246405, 2252378    
Bug Blocks: 2246265    

Description TEJ RATHI 2023-10-26 04:18:48 UTC
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm

Comment 3 Vipul Nair 2023-12-01 09:30:45 UTC
Created python-twisted tracking bugs for this issue:

Affects: epel-all [bug 2252377]
Affects: fedora-all [bug 2252378]

Comment 4 errata-xmlrpc 2024-01-22 14:19:35 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:0322 https://access.redhat.com/errata/RHSA-2024:0322

Comment 5 errata-xmlrpc 2024-03-26 12:21:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:1516 https://access.redhat.com/errata/RHSA-2024:1516

Comment 6 errata-xmlrpc 2024-03-26 12:22:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:1518 https://access.redhat.com/errata/RHSA-2024:1518

Comment 7 errata-xmlrpc 2024-04-02 19:29:58 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640