Vulnerability in Twisted
CVE-2022-24801
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more lenie…
Vulnerability class: HTTP Request Smuggling
EPSS: 0.011 (78.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Twisted — versions <= 22.2.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq (x_refsource_CONFIRM)
- github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac (x_refsource_MISC)
- github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1 (x_refsource_MISC)
- [debian-lts-announce] 20220503 [SECURITY] [DLA 2991-1] twisted security update (mailing-list, x_refsource_MLIST)
- FEDORA-2022-71b66d4747 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2022-9a489fa494 (vendor-advisory, x_refsource_FEDORA)
- www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-24801?
- CVE-2022-24801 is a high-severity vulnerability in Twisted, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 8.1/10. Published 2022-04-04.
- How severe is CVE-2022-24801?
- High severity. CVSS v3 base score is 8.1 out of 10.
- Is CVE-2022-24801 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.