CVE-2019-12387: Twisted CRLF Injection
(updated )
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
References
- github.com/advisories/GHSA-6cc5-2vg4-cc7m
- github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2019-128.yaml
- github.com/twisted/twisted
- github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
- labs.twistedmatrix.com/2019/06/twisted-1921-released.html
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N
- nvd.nist.gov/vuln/detail/CVE-2019-12387
- twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
- usn.ubuntu.com/4308-1
- usn.ubuntu.com/4308-2
- www.oracle.com/security-alerts/cpuapr2020.html
Detect and mitigate CVE-2019-12387 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →