First published: Thu Mar 12 2020(Updated: )
In Twisted Web before 20.3.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Twistedmatrix Twisted | <=19.10.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
Oracle ZFS Storage Appliance Kit | =8.8 | |
Oracle Solaris | =10 | |
Oracle Solaris | =11 | |
pip/Twisted | <20.3.0 | 20.3.0 |
Twisted Twisted | <=19.10.0 | |
debian/twisted | 20.3.0-7+deb11u1 20.3.0-7+deb11u2 22.4.0-4+deb12u1 24.11.0-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10108 is an HTTP request splitting vulnerability in Twisted Web before version 20.3.0.
CVE-2020-10108 has a severity rating of 9.8, which is considered critical.
CVE-2020-10108 affects Twisted Web versions up to 19.10.0.
To fix CVE-2020-10108, you should update Twisted Web to version 20.3.0 or later.
You can find more information about CVE-2020-10108 at the Bishop Fox advisories page and the Fedora Project mailing list.