CVE-2019-12387

CVE Database · CVE-2019-12387

CVE-2019-12387

· MEDIUMModified

CVSS v3.1

6.1

EPSS

2.54%

Published

Jun 10, 2019

Modified

Nov 25, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-74

Affected Products (8)

twisted · twisted (up to 19.2.1)vulnerable

fedoraproject · fedoravulnerable

canonical · ubuntu_linuxvulnerable

oracle · zfs_storage_appliance_kitvulnerable

oracle · solarisvulnerable

References (18)

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html

Broken Link

https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2

PatchThird Party Advisory

https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html

ExploitRelease NotesVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/

https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html

KEV Catalog EPSS Scores Vendors All CVEs