Search for packages
| purl | pkg:deb/ubuntu/twisted@15.5.0-2 |
| Next non-vulnerable version | 18.9.0-3ubuntu1.1 |
| Latest non-vulnerable version | 18.9.0-6ubuntu1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3gua-vux5-aaaq
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-54jv-na1n-aaac
Aliases: CVE-2019-12387 GHSA-6cc5-2vg4-cc7m PYSEC-2019-128 PYSEC-2019-58 |
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. |
Affected by 0 other vulnerabilities. |
|
VCID-6ypc-78mx-aaac
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-atn1-v3d1-aaag
Aliases: CVE-2020-10109 GHSA-p5xh-vx83-mxcj PYSEC-2020-260 |
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. |
Affected by 0 other vulnerabilities. |
|
VCID-kfap-b6t7-aaam
Aliases: CVE-2019-9515 |
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q7nj-ndhs-aaaf
Aliases: CVE-2020-10108 GHSA-h96w-mmrf-2h6v PYSEC-2020-259 |
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. |
Affected by 0 other vulnerabilities. |
|
VCID-rmb8-9sp1-aaac
Aliases: CVE-2016-1000111 GHSA-3gqj-cmxr-p4x2 PYSEC-2020-214 |
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. |
Affected by 7 other vulnerabilities. |
|
VCID-sy9d-ubrb-aaak
Aliases: CVE-2019-12855 GHSA-65rm-h285-5cc5 PYSEC-2019-129 PYSEC-2019-59 |
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|