中危 twisted.web 的 HTTP 管道响应无序 (CVE-2023-46137)
CVE编号
CVE-2023-46137利用情况
暂无补丁情况
官方补丁披露时间
2023-10-26漏洞描述
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | twistedmatrix | twisted | * | Up to (including) 22.8.0 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | twisted | * | Up to (including) 18.9.0-3+deb10u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_11 | twisted | * | Up to (including) 20.3.0-7+deb11u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | twisted | * | Up to (including) 22.4.0-4 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | twisted | * | Up to (including) 22.4.0-4 | |||||
- 攻击路径 本地
- 攻击复杂度 困难
- 权限要求 管控权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-444 | HTTP请求的解释不一致性(HTTP请求私运) |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论