Twisted-21.2.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.1) unreachable #4
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/f2/16/3eb9c66a7bfb5220c7bcbaaac33d359fe8a157b028959cd210983749b2e0/Twisted-21.2.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241205192444_NEOWPL/python_IHKSVC/202412051924441/env/lib/python3.7/site-packages/Twisted-21.2.0.dist-info
Found in HEAD commit: 5e380d5913a9bd669480cbd6f5a5b0a48e8c14c5
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Twisted-21.2.0-py3-none-any.whl
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/f2/16/3eb9c66a7bfb5220c7bcbaaac33d359fe8a157b028959cd210983749b2e0/Twisted-21.2.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241205192444_NEOWPL/python_IHKSVC/202412051924441/env/lib/python3.7/site-packages/Twisted-21.2.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 5e380d5913a9bd669480cbd6f5a5b0a48e8c14c5
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the
twisted.web.httpmodule, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.Publish Date: 2022-04-04
URL: CVE-2022-24801
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24801
Release Date: 2022-04-04
Fix Resolution: twisted - 22.4.0rc1
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - Twisted-21.2.0-py3-none-any.whl
An asynchronous networking framework written in Python
Library home page: https://files.pythonhosted.org/packages/f2/16/3eb9c66a7bfb5220c7bcbaaac33d359fe8a157b028959cd210983749b2e0/Twisted-21.2.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20241205192444_NEOWPL/python_IHKSVC/202412051924441/env/lib/python3.7/site-packages/Twisted-21.2.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 5e380d5913a9bd669480cbd6f5a5b0a48e8c14c5
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host
twisted.web.vhost.NameVirtualHostwill return aNoResourceresource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.Publish Date: 2022-10-26
URL: CVE-2022-39348
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-39348
Release Date: 2022-10-26
Fix Resolution: twisted - 19.2.1,18.4.0;Twisted - 22.10.0rc1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: