{"id":"GHSA-6cc5-2vg4-cc7m","summary":"Twisted CRLF Injection","details":"In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.","aliases":["CVE-2019-12387","PYSEC-2019-128"],"modified":"2024-11-25T18:46:38.555511Z","published":"2019-06-10T18:05:06Z","database_specific":{"severity":"MODERATE","github_reviewed_at":"2019-06-10T18:04:12Z","cwe_ids":["CWE-74","CWE-93"],"nvd_published_at":"2019-06-10T12:29:00Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12387"},{"type":"WEB","url":"https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-6cc5-2vg4-cc7m"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2019-128.yaml"},{"type":"PACKAGE","url":"https://github.com/twisted/twisted"},{"type":"WEB","url":"https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2G5RPDQ4BNB336HL6WW5ZJ344MAWNN7N"},{"type":"WEB","url":"https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html"},{"type":"WEB","url":"https://usn.ubuntu.com/4308-1"},{"type":"WEB","url":"https://usn.ubuntu.com/4308-2"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00030.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00042.html"}],"affected":[{"package":{"name":"twisted","ecosystem":"PyPI","purl":"pkg:pypi/twisted"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"19.2.1"}]}],"versions":["1.0.1","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.2.0","10.0.0","10.1.0","10.2.0","11.0.0","11.1.0","12.0.0","12.1.0","12.2.0","12.3.0","13.0.0","13.1.0","13.2.0","14.0.0","14.0.1","14.0.2","15.0.0","15.1.0","15.2.0","15.2.1","15.3.0","15.4.0","15.5.0","16.0.0","16.1.0","16.1.1","16.2.0","16.3.0","16.3.1","16.3.2","16.4.0","16.4.1","16.5.0","16.5.0rc1","16.5.0rc2","16.6.0","16.6.0rc1","16.7.0rc1","16.7.0rc2","17.1.0","17.1.0rc1","17.5.0","17.9.0","17.9.0rc1","18.4.0","18.4.0rc1","18.7.0","18.7.0rc1","18.7.0rc2","18.9.0","18.9.0rc1","19.2.0","19.2.0rc1","19.2.0rc2","2.1.0","2.4.0","2.5.0","8.0.0","8.0.1","8.1.0","8.2.0","9.0.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-6cc5-2vg4-cc7m/GHSA-6cc5-2vg4-cc7m.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}