Skip to content

Commit

Permalink
Latest data: Tue Jul 30 08:05:58 UTC 2024
Browse files Browse the repository at this point in the history
  • Loading branch information
github.actions committed Jul 30, 2024
1 parent 91f5fa0 commit bf6d59a
Show file tree
Hide file tree
Showing 8 changed files with 1,222 additions and 714 deletions.
374 changes: 374 additions & 0 deletions audits/alot-requirements.audit.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1056,6 +1056,360 @@
"alot-requirements"
],
"vulnerabilities": [
{
"modified": "2024-07-29T16:56:56Z",
"published": "2024-07-29T16:33:11Z",
"schema_version": "1.6.0",
"id": "GHSA-c8m8-j448-xjx7",
"aliases": [
"CVE-2024-41671"
],
"summary": "twisted.web has disordered HTTP pipeline response",
"details": "### Summary\n\nThe HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.\n\n### PoC\n0. Start a fresh Debian container:\n```sh\ndocker run --workdir /repro --rm -it debian:bookworm-slim\n```\n1. Install twisted and its dependencies:\n```sh\napt -y update && apt -y install ncat git python3 python3-pip \\\n && git clone --recurse-submodules https://github.com/twisted/twisted \\\n && cd twisted \\\n && pip3 install --break-system-packages .\n```\n2. Run a twisted.web HTTP server that echos received requests' methods. e.g., the following:\n```python\nfrom twisted.web import server, resource\nfrom twisted.internet import reactor\n\nclass TheResource(resource.Resource):\n isLeaf = True\n\n def render_GET(self, request) -> bytes:\n return b\"GET\"\n\n def render_POST(self, request) -> bytes:\n return b\"POST\"\n\nsite = server.Site(TheResource())\nreactor.listenTCP(80, site)\nreactor.run()\n```\n3. Send it a POST request with a chunked message body, pipelined with another POST request, wait a second, then send a GET request on the same connection:\n```sh\n(printf 'POST / HTTP/1.1\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n0\\r\\n\\r\\nPOST / HTTP/1.1\\r\\nContent-Length: 0\\r\\n\\r\\n'; sleep 1; printf 'GET / HTTP/1.1\\r\\n\\r\\n'; sleep 1) | nc localhost 80\n```\n4. Observe that the responses arrive out of order:\n```\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:41 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 4\nContent-Type: text/html\n\nGET\nHTTP/1.1 200 OK\nServer: TwistedWeb/24.3.0.post0\nDate: Tue, 09 Jul 2024 06:19:42 GMT\nContent-Length: 5\nContent-Type: text/html\n\nPOST\n```\n\n### Impact\nSee [GHSA-xc8x-vp79-p3wm](https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm). Further, for instances of twisted.web HTTP servers deployed behind reverse proxies that implement connection pooling, it may be possible for remote attackers to receive responses intended for other clients of the twisted.web server.",
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "twisted",
"purl": "pkg:pypi/twisted"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "24.7.0rc1"
}
]
}
],
"versions": [
"1.0.1",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.1.0",
"1.1.1",
"1.2.0",
"10.0.0",
"10.1.0",
"10.2.0",
"11.0.0",
"11.1.0",
"12.0.0",
"12.1.0",
"12.2.0",
"12.3.0",
"13.0.0",
"13.1.0",
"13.2.0",
"14.0.0",
"14.0.1",
"14.0.2",
"15.0.0",
"15.1.0",
"15.2.0",
"15.2.1",
"15.3.0",
"15.4.0",
"15.5.0",
"16.0.0",
"16.1.0",
"16.1.1",
"16.2.0",
"16.3.0",
"16.3.1",
"16.3.2",
"16.4.0",
"16.4.1",
"16.5.0",
"16.5.0rc1",
"16.5.0rc2",
"16.6.0",
"16.6.0rc1",
"16.7.0rc1",
"16.7.0rc2",
"17.1.0",
"17.1.0rc1",
"17.5.0",
"17.9.0",
"17.9.0rc1",
"18.4.0",
"18.4.0rc1",
"18.7.0",
"18.7.0rc1",
"18.7.0rc2",
"18.9.0",
"18.9.0rc1",
"19.10.0",
"19.10.0rc1",
"19.2.0",
"19.2.0rc1",
"19.2.0rc2",
"19.2.1",
"19.7.0",
"19.7.0rc1",
"2.1.0",
"2.4.0",
"2.5.0",
"20.3.0",
"20.3.0rc1",
"21.2.0",
"21.2.0rc1",
"21.7.0",
"21.7.0rc1",
"21.7.0rc2",
"21.7.0rc3",
"22.1.0",
"22.1.0rc1",
"22.10.0",
"22.10.0rc1",
"22.2.0",
"22.2.0rc1",
"22.4.0",
"22.4.0rc1",
"22.8.0",
"22.8.0rc1",
"23.10.0",
"23.10.0rc1",
"23.8.0",
"23.8.0rc1",
"24.2.0rc1",
"24.3.0",
"8.0.0",
"8.0.1",
"8.1.0",
"8.2.0",
"9.0.0"
],
"database_specific": {
"last_known_affected_version_range": "<= 24.3.0",
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c8m8-j448-xjx7/GHSA-c8m8-j448-xjx7.json"
}
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/security/advisories/GHSA-c8m8-j448-xjx7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41671"
},
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
},
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/commit/4a930de12fb67e88fefcb8822104152f42b27abc"
},
{
"type": "PACKAGE",
"url": "https://github.com/twisted/twisted"
}
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-29T16:33:11Z",
"nvd_published_at": "2024-07-29T15:15:15Z",
"severity": "HIGH"
}
},
{
"modified": "2024-07-29T20:01:48Z",
"published": "2024-07-29T17:29:36Z",
"schema_version": "1.6.0",
"id": "GHSA-cf56-g6w6-pqq2",
"aliases": [
"CVE-2024-41810"
],
"summary": "Twisted vulnerable to HTML injection in HTTP redirect body",
"details": "### Summary\n\nThe `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.\n\n### Details\nTwisted\u2019s `redirectTo` function generates an `HTTP 302 Redirect` response. The response contains an HTML body, built for exceptional cases where the browser doesn\u2019t properly handle the redirect, allowing the user to click a link, navigating them to the specified destination.\n\nThe function reflects the destination URL in the HTML body without any output encoding. \n```python\n# https://github.com/twisted/twisted/blob/trunk/src/twisted/web/_template_util.py#L88\ndef redirectTo(URL: bytes, request: IRequest) -> bytes:\n # ---snip---\n content = b\"\"\"\n<html>\n <head>\n <meta http-equiv=\\\"refresh\\\" content=\\\"0;URL=%(url)s\\\">\n </head>\n <body bgcolor=\\\"#FFFFFF\\\" text=\\\"#000000\\\">\n <a href=\\\"%(url)s\\\">click here</a>\n </body>\n</html>\n\"\"\" % {\n b\"url\": URL\n }\n return content\n```\n\nIf an attacker has full or partial control over redirect location due to an application bug, also known as an \u201cOpen Redirect\u201d, they may inject arbitrary HTML into the response\u2019s body, ultimately leading to an XSS attack.\n\nIt\u2019s worth noting that the issue is known to maintainers and tracked with GitHub [Issue#9839](https://github.com/twisted/twisted/issues/9839). The issue description, however, does not make any mention of exploitability and simply states: \u201c\u2026Browsers don't seem to actually render that page\u2026\u201d\n\n### PoC\nThe issue can be reproduced by running the following Twisted-based HTTP server locally:\n```python\nfrom twisted.web import server, resource\nfrom twisted.internet import reactor\nfrom twisted.web.util import redirectTo\n\nclass Simple(resource.Resource):\n isLeaf = True\n def render_GET(self, request):\n url = request.args[b'url'][0] # <-- open redirect\n return redirectTo(url, request)\n\nsite = server.Site(Simple())\nreactor.listenTCP(9009, site)\nreactor.run()\n```\nOnce running, navigate to the following URL: `http://127.0.0.1:9009?url=ws://example.com/\"><script>alert(document.location)</script>`, and verify that the \u201calert\u201d dialog was displayed.\n\n**Note**: Due to the different ways browsers validate the redirect Location header, this attack is possible only in **Firefox**. All other tested browsers will display an error message to the user and will not render the HTML body.\n\n### Impact\nIf successfully exploited, the issue will allow malicious JavaScript to run in the context of the victim's session. This will in turn lead to unauthorized access/modification to victim's account and information associated with it, or allow for unauthorized operations to be performed within the context of the victim's session.",
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "twisted",
"purl": "pkg:pypi/twisted"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "24.7.0rc1"
}
]
}
],
"versions": [
"1.0.1",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.1.0",
"1.1.1",
"1.2.0",
"10.0.0",
"10.1.0",
"10.2.0",
"11.0.0",
"11.1.0",
"12.0.0",
"12.1.0",
"12.2.0",
"12.3.0",
"13.0.0",
"13.1.0",
"13.2.0",
"14.0.0",
"14.0.1",
"14.0.2",
"15.0.0",
"15.1.0",
"15.2.0",
"15.2.1",
"15.3.0",
"15.4.0",
"15.5.0",
"16.0.0",
"16.1.0",
"16.1.1",
"16.2.0",
"16.3.0",
"16.3.1",
"16.3.2",
"16.4.0",
"16.4.1",
"16.5.0",
"16.5.0rc1",
"16.5.0rc2",
"16.6.0",
"16.6.0rc1",
"16.7.0rc1",
"16.7.0rc2",
"17.1.0",
"17.1.0rc1",
"17.5.0",
"17.9.0",
"17.9.0rc1",
"18.4.0",
"18.4.0rc1",
"18.7.0",
"18.7.0rc1",
"18.7.0rc2",
"18.9.0",
"18.9.0rc1",
"19.10.0",
"19.10.0rc1",
"19.2.0",
"19.2.0rc1",
"19.2.0rc2",
"19.2.1",
"19.7.0",
"19.7.0rc1",
"2.1.0",
"2.4.0",
"2.5.0",
"20.3.0",
"20.3.0rc1",
"21.2.0",
"21.2.0rc1",
"21.7.0",
"21.7.0rc1",
"21.7.0rc2",
"21.7.0rc3",
"22.1.0",
"22.1.0rc1",
"22.10.0",
"22.10.0rc1",
"22.2.0",
"22.2.0rc1",
"22.4.0",
"22.4.0rc1",
"22.8.0",
"22.8.0rc1",
"23.10.0",
"23.10.0rc1",
"23.8.0",
"23.8.0rc1",
"24.2.0rc1",
"24.3.0",
"8.0.0",
"8.0.1",
"8.1.0",
"8.2.0",
"9.0.0"
],
"database_specific": {
"last_known_affected_version_range": "<= 24.3.0",
"source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cf56-g6w6-pqq2/GHSA-cf56-g6w6-pqq2.json"
}
}
],
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41810"
},
{
"type": "WEB",
"url": "https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33"
},
{
"type": "PACKAGE",
"url": "https://github.com/twisted/twisted"
}
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-29T17:29:36Z",
"nvd_published_at": "2024-07-29T16:15:05Z",
"severity": "MODERATE"
}
},
{
"modified": "2024-02-16T08:14:29Z",
"published": "2023-10-25T21:15:13Z",
Expand Down Expand Up @@ -1371,6 +1725,26 @@
}
],
"groups": [
{
"ids": [
"GHSA-c8m8-j448-xjx7"
],
"aliases": [
"CVE-2024-41671",
"GHSA-c8m8-j448-xjx7"
],
"max_severity": "8.3"
},
{
"ids": [
"GHSA-cf56-g6w6-pqq2"
],
"aliases": [
"CVE-2024-41810",
"GHSA-cf56-g6w6-pqq2"
],
"max_severity": "6.1"
},
{
"ids": [
"GHSA-xc8x-vp79-p3wm",
Expand Down
Loading

0 comments on commit bf6d59a

Please sign in to comment.