Vulnerability Details CVE-2019-12387
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.5%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html
- https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
- https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/
- https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html
- https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
- https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/
- https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuapr2020.html
Products affected by CVE-2019-12387
-
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8
-
cpe:2.3:a:twisted:twisted:-
-
cpe:2.3:a:twisted:twisted:10.0.0
-
cpe:2.3:a:twisted:twisted:10.1.0
-
cpe:2.3:a:twisted:twisted:10.2.0
-
cpe:2.3:a:twisted:twisted:11.0.0
-
cpe:2.3:a:twisted:twisted:11.1.0
-
cpe:2.3:a:twisted:twisted:12.0.0
-
cpe:2.3:a:twisted:twisted:12.1.0
-
cpe:2.3:a:twisted:twisted:12.2.0
-
cpe:2.3:a:twisted:twisted:12.3.0
-
cpe:2.3:a:twisted:twisted:13.0.0
-
cpe:2.3:a:twisted:twisted:13.1.0
-
cpe:2.3:a:twisted:twisted:13.2.0
-
cpe:2.3:a:twisted:twisted:14.0.0
-
cpe:2.3:a:twisted:twisted:14.0.1
-
cpe:2.3:a:twisted:twisted:14.0.2
-
cpe:2.3:a:twisted:twisted:15.0.0
-
cpe:2.3:a:twisted:twisted:15.1.0
-
cpe:2.3:a:twisted:twisted:15.2.0
-
cpe:2.3:a:twisted:twisted:15.2.1
-
cpe:2.3:a:twisted:twisted:15.3.0
-
cpe:2.3:a:twisted:twisted:15.4.0
-
cpe:2.3:a:twisted:twisted:15.5.0
-
cpe:2.3:a:twisted:twisted:16.0.0
-
cpe:2.3:a:twisted:twisted:16.1.0
-
cpe:2.3:a:twisted:twisted:16.1.1
-
cpe:2.3:a:twisted:twisted:16.2.0
-
cpe:2.3:a:twisted:twisted:16.3.0
-
cpe:2.3:a:twisted:twisted:16.3.1
-
cpe:2.3:a:twisted:twisted:16.3.2
-
cpe:2.3:a:twisted:twisted:16.4.0
-
cpe:2.3:a:twisted:twisted:16.4.1
-
cpe:2.3:a:twisted:twisted:16.5.0
-
cpe:2.3:a:twisted:twisted:16.6.0
-
cpe:2.3:a:twisted:twisted:17.1.0
-
cpe:2.3:a:twisted:twisted:17.5.0
-
cpe:2.3:a:twisted:twisted:17.9.0
-
cpe:2.3:a:twisted:twisted:18.4.0
-
cpe:2.3:a:twisted:twisted:18.7.0
-
cpe:2.3:a:twisted:twisted:18.9.0
-
cpe:2.3:a:twisted:twisted:19.2.0
-
cpe:2.3:a:twisted:twisted:8.0.0
-
cpe:2.3:a:twisted:twisted:8.0.1
-
cpe:2.3:a:twisted:twisted:8.1.0
-
cpe:2.3:a:twisted:twisted:8.2.0
-
cpe:2.3:a:twisted:twisted:9.0.0
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:19.10
-
cpe:2.3:o:fedoraproject:fedora:29
-
cpe:2.3:o:oracle:solaris:11