Bug 2246264 (CVE-2023-46137) - CVE-2023-46137 python-twisted: disordered HTTP pipeline response in twisted.web
Summary: CVE-2023-46137 python-twisted: disordered HTTP pipeline response in twisted.web
Keywords:
Status: NEW
Alias: CVE-2023-46137
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2252377 2252378 2246404 2246405
Blocks: 2246265
TreeView+ depends on / blocked
 
Reported: 2023-10-26 04:18 UTC by TEJ RATHI
Modified: 2024-04-02 19:30 UTC (History)
31 users (show)

Fixed In Version: twisted 23.10.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0322 0 None None None 2024-01-22 14:19:38 UTC
Red Hat Product Errata RHSA-2024:1516 0 None None None 2024-03-26 12:21:10 UTC
Red Hat Product Errata RHSA-2024:1518 0 None None None 2024-03-26 12:22:11 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:00 UTC

Description TEJ RATHI 2023-10-26 04:18:48 UTC 
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm
Comment 3 Vipul Nair 2023-12-01 09:30:45 UTC 
Created python-twisted tracking bugs for this issue:

Affects: epel-all [bug 2252377]
Affects: fedora-all [bug 2252378]
Comment 4 errata-xmlrpc 2024-01-22 14:19:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:0322 https://access.redhat.com/errata/RHSA-2024:0322
Comment 5 errata-xmlrpc 2024-03-26 12:21:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:1516 https://access.redhat.com/errata/RHSA-2024:1516
Comment 6 errata-xmlrpc 2024-03-26 12:22:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:1518 https://access.redhat.com/errata/RHSA-2024:1518
Comment 7 errata-xmlrpc 2024-04-02 19:29:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Note You need to log in before you can comment on or make changes to this bug.