{"id":"CVE-2019-12387","details":"In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.","aliases":["GHSA-6cc5-2vg4-cc7m","PYSEC-2019-128"],"modified":"2026-01-31T21:04:39.959876Z","published":"2019-06-10T12:29:00.287Z","related":["MGASA-2019-0360","SUSE-SU-2019:1731-1","SUSE-SU-2019:2066-1","SUSE-SU-2022:4074-1","openSUSE-SU-2019:1760-1","openSUSE-SU-2019:1785-1","openSUSE-SU-2024:11212-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N/"},{"type":"ADVISORY","url":"https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2"},{"type":"ADVISORY","url":"https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html"},{"type":"ADVISORY","url":"https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4308-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4308-2/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"EVIDENCE","url":"https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html"},{"type":"EVIDENCE","url":"https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/twisted/twisted","events":[{"introduced":"0"},{"fixed":"6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2"}]}],"versions":["before-black","twisted-16.2.0","twisted-16.3.0","twisted-16.4.0","twisted-16.4.1","twisted-16.5.0","twisted-16.6.0","twisted-17.1.0","twisted-17.5.0","twisted-17.9.0","twisted-18.4.0","twisted-18.7.0","twisted-18.9.0","twisted-19.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12387.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}