Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1717 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

  - Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host     header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource`     resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
    In practice this should be very difficult to exploit as being able to modify the Host header of a normal     HTTP request implies that one is already in a privileged position. This issue was fixed in version     22.10.0rc1. There are no known workarounds. (CVE-2022-39348)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-056 advisory.

  - twisted is an event-driven networking engine written in Python. In affected versions twisted exposes     cookies and authorization headers when following cross-origin redirects. This issue is present in the     `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to     upgrade. There are no known workarounds. (CVE-2022-21712)

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0,     Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH     version identifier. This ends up with a buffer using all the available memory. The attach is a simple as     `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known     workarounds. (CVE-2022-21716)

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of python-twisted installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-24801 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-231 advisory.

  - twisted is an event-driven networking engine written in Python. In affected versions twisted exposes     cookies and authorization headers when following cross-origin redirects. This issue is present in the     `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to     upgrade. There are no known workarounds. (CVE-2022-21712)

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0,     Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH     version identifier. This ends up with a buffer using all the available memory. The attach is a simple as     `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known     workarounds. (CVE-2022-21716)

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5576-1 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has a package installed that is affected by a vulnerability as referenced in the CESA-2022:4930 advisory.

  - python-twisted: possible http request smuggling (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of python-twisted-web installed on the remote host is prior to 12.1.0-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1827 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Scientific Linux 7 host has a package installed that is affected by a vulnerability as referenced in the SLSA-2022:4930-1 advisory.

  - python-twisted: possible http request smuggling (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2022-4930 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:4930 advisory.

  - python-twisted: possible http request smuggling (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2991 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:1546-1 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:1646 advisory.

  - python-twisted: possible http request smuggling (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:1477-1 advisory.

  - Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version     22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP     request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to     desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.
    Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a     different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a     different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two     workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by     upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.
    (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:1645 advisory.

  - python-twisted: possible http request smuggling (CVE-2022-24801)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
173953	Amazon Linux AMI : python-twisted-web (ALAS-2023-1717)	Nessus	Amazon Linux Local Security Checks	high
173089	Amazon Linux 2023 : python3-twisted, python3-twisted+tls (ALAS2023-2023-056)	Nessus	Amazon Linux Local Security Checks	high
172965	CBL Mariner 2.0 Security Update: python-twisted (CVE-2022-24801)	Nessus	MarinerOS Local Security Checks	high
168547	Amazon Linux 2022 : python-twisted (ALAS2022-2022-231)	Nessus	Amazon Linux Local Security Checks	high
165631	Ubuntu 22.04 LTS : Twisted vulnerability (USN-5576-1)	Nessus	Ubuntu Local Security Checks	high
163759	CentOS 7 : python-twisted-web (CESA-2022:4930)	Nessus	CentOS Local Security Checks	high
163315	Amazon Linux 2 : python-twisted-web (ALAS-2022-1827)	Nessus	Amazon Linux Local Security Checks	high
161974	Scientific Linux Security Update : python-twisted-web on SL7.x x86_64 (2022:4930)	Nessus	Scientific Linux Local Security Checks	high
161929	Oracle Linux 7 : python-twisted-web (ELSA-2022-4930)	Nessus	Oracle Linux Local Security Checks	high
161924	RHEL 7 : python-twisted-web (RHSA-2022:4930)	Nessus	Red Hat Local Security Checks	high
160979	Debian DLA-2991-1 : twisted - LTS security update	Nessus	Debian Local Security Checks	high
160672	SUSE SLES12 Security Update : python-Twisted (SUSE-SU-2022:1546-1)	Nessus	SuSE Local Security Checks	high
160384	RHEL 8 : Red Hat OpenStack Platform 16.1 (python-twisted) (RHSA-2022:1646)	Nessus	Red Hat Local Security Checks	high
160380	SUSE SLES15 Security Update : python-Twisted (SUSE-SU-2022:1477-1)	Nessus	SuSE Local Security Checks	high
160378	RHEL 8 : Red Hat OpenStack Platform 16.2 (python-twisted) (RHSA-2022:1645)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2022-24801

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high