In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. Upstream patch: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 References: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
Created python-twisted tracking bugs for this issue: Affects: fedora-all [bug 1719503]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1091 https://access.redhat.com/errata/RHSA-2020:1091
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12387
Statement: * This issue does not affect Red Hat Gluster Storage 3 and Red Hat Ceph Storage 2 and 3 because these products do not use the twisted web APIs. * This issue does affect Red Hat Enterprise Linux 6. However, because this version is now in Maintenance Support 2 Phase and the flaw has a security impact of Moderate, it is not currently planned to be addressed in future Red Hat Enterprise Linux 6 updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata * In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-twisted package.