CVE-2024-41671: 
Python vulnerability analysis and mitigation

Twisted, an event-based framework for internet applications supporting Python 3.6+, was found to have a vulnerability in its HTTP 1.0 and 1.1 server implementation (CVE-2024-41671). The vulnerability was discovered and disclosed on July 29, 2024, affecting twisted.web component versions up to 24.3.0. The issue has been fixed in version 24.7.0rc1 (GitHub Advisory).

The vulnerability stems from the HTTP server's improper handling of pipelined HTTP requests, where requests could be processed out-of-order. This is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests). The vulnerability has received a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The vulnerability could result in information disclosure, particularly in environments where twisted.web HTTP servers are deployed behind reverse proxies that implement connection pooling. In such scenarios, remote attackers might receive responses intended for other clients of the twisted.web server (GitHub Advisory).

The vulnerability has been patched in Twisted version 24.7.0rc1. Users are advised to upgrade to this version or later. Various Linux distributions have also released fixed packages, including Ubuntu 24.04 LTS (24.3.0-1ubuntu0.1), Ubuntu 22.04 LTS (22.1.0-2ubuntu2.6), Ubuntu 20.04 LTS (18.9.0-11ubuntu0.20.04.5), and Ubuntu 18.04 LTS (17.9.0-2ubuntu0.3+esm2) (Ubuntu Security).