VulnerableCode Package Details - pkg:alpm/archlinux/python-twisted@21.7.0-4

Search for packages

Vulnerability	Summary	Fixed by
VCID-p1zd-pypu-aaam Aliases: CVE-2022-21716 GHSA-rv6r-3f5q-9rgx PYSEC-2022-160	Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.	There are no reported fixed by versions.
VCID-shy4-bwc3-aaar Aliases: CVE-2022-21712 GHSA-92x2-jw7w-xvvx PYSEC-2022-27	twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.	There are no reported fixed by versions.
VCID-udmg-vnpc-aaag Aliases: CVE-2022-24801 GHSA-c2jg-hw38-jrqq PYSEC-2022-195	Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-p1zd-pypu-aaam
Aliases:
CVE-2022-21716
GHSA-rv6r-3f5q-9rgx
PYSEC-2022-160

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

There are no reported fixed by versions.

VCID-shy4-bwc3-aaar
Aliases:
CVE-2022-21712
GHSA-92x2-jw7w-xvvx
PYSEC-2022-27

twisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.

There are no reported fixed by versions.

VCID-udmg-vnpc-aaag
Aliases:
CVE-2022-24801
GHSA-c2jg-hw38-jrqq
PYSEC-2022-195

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:43:54.109412+00:00	Arch Linux Importer	Affected by	VCID-shy4-bwc3-aaar	https://security.archlinux.org/AVG-2663	36.0.0
2025-03-28T07:43:54.086648+00:00	Arch Linux Importer	Affected by	VCID-p1zd-pypu-aaam	https://security.archlinux.org/AVG-2663	36.0.0
2025-03-28T07:43:54.070954+00:00	Arch Linux Importer	Affected by	VCID-udmg-vnpc-aaag	https://security.archlinux.org/AVG-2663	36.0.0
2024-09-18T01:59:02.740171+00:00	Arch Linux Importer	Affected by	VCID-shy4-bwc3-aaar	https://security.archlinux.org/AVG-2663	34.0.1
2024-09-18T01:59:02.722530+00:00	Arch Linux Importer	Affected by	VCID-p1zd-pypu-aaam	https://security.archlinux.org/AVG-2663	34.0.1
2024-09-18T01:59:02.701660+00:00	Arch Linux Importer	Affected by	VCID-udmg-vnpc-aaag	https://security.archlinux.org/AVG-2663	34.0.1
2024-01-03T22:25:21.230818+00:00	Arch Linux Importer	Affected by	VCID-shy4-bwc3-aaar	https://security.archlinux.org/AVG-2663	34.0.0rc1
2024-01-03T22:25:21.216435+00:00	Arch Linux Importer	Affected by	VCID-p1zd-pypu-aaam	https://security.archlinux.org/AVG-2663	34.0.0rc1
2024-01-03T22:25:21.201718+00:00	Arch Linux Importer	Affected by	VCID-udmg-vnpc-aaag	https://security.archlinux.org/AVG-2663	34.0.0rc1