CVE-2019-12387

Published: Jun 10, 2019Modified: Nov 25, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Affected (8)

Products: Twisted: Twisted · Fedoraproject: Fedora · Canonical: Ubuntu Linux · +1 more

Show all products

Twisted: Twisted · Fedoraproject: Fedora · Canonical: Ubuntu Linux · Oracle: Solaris, Zfs Storage Appliance Kit

1 product

1 product

1 product

2 products

Zfs Storage Appliance Kit

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Twisted Twisted	Before 19.2.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 29

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.10

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Oracle Solaris	Version 11
Oracle Zfs Storage Appliance Kit	Version 8.8

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (18)

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html

Source: cve@mitre.org

Broken Link

https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2

Source: cve@mitre.org

PatchThird Party Advisory

https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html

Source: cve@mitre.org

ExploitRelease NotesVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/

Source: cve@mitre.org

https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html

Source: cve@mitre.org

ExploitRelease NotesVendor Advisory

https://usn.ubuntu.com/4308-1/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4308-2/

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html