7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.821 High
EPSS
Percentile
98.4%
Twisted developers reports:
All HTTP clients in twisted.web.client now raise a ValueError when
called with a method and/or URL that contain invalid characters. This
mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this
vulnerability.
The HTTP/2 server implementation now enforces TCP flow control on
control frame messages and times out clients that send invalid data
without reading responses. This closes CVE-2019-9512 (Ping Flood),
CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks
to Jonathan Looney and Piotr Sikora.
twisted.web.http was subject to several request smuggling attacks.
Requests with multiple Content-Length headers were allowed
(CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu
for reporting this) and now fail with a 400; requests with a
Content-Length header and a Transfer-Encoding header honored the first
header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for
reporting this) and now fail with a 400; requests whose
Transfer-Encoding header had a value other than “chunked” and
“identity” (thanks to ZeddYu Lu) were allowed and now fail with a 400.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | py27-twisted | < 20.3.0 | UNKNOWN |
FreeBSD | any | noarch | py35-twisted | < 20.3.0 | UNKNOWN |
FreeBSD | any | noarch | py36-twisted | < 20.3.0 | UNKNOWN |
FreeBSD | any | noarch | py37-twisted | < 20.3.0 | UNKNOWN |
FreeBSD | any | noarch | py38-twisted | < 20.3.0 | UNKNOWN |
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.821 High
EPSS
Percentile
98.4%