CVE-2019-12387

Advisory

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.


CONFIRM:https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
CONFIRM:https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html: https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
CONFIRM:https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html: https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12387
• https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
• https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
• https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html
• https://lists.fedoraproject.org/archives/list/[email protected]/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/
• https://usn.ubuntu.com/4308-1/
• https://usn.ubuntu.com/4308-2/
• https://www.oracle.com/security-alerts/cpuapr2020.html