First published: Thu Mar 12 2020(Updated: )
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Twistedmatrix Twisted | <=19.10.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
pip/Twisted | <20.3.0 | 20.3.0 |
Twisted Twisted | <=19.10.0 | |
debian/twisted | 20.3.0-7+deb11u1 20.3.0-7+deb11u2 22.4.0-4+deb12u1 24.11.0-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10109 is an HTTP request splitting vulnerability in Twisted Web through 20.3.0.
CVE-2020-10109 has a severity score of 9.8, which is considered critical.
Twisted Web versions up to and including 20.3.0 are affected by CVE-2020-10109.
To fix CVE-2020-10109, update Twisted Web to version 20.3.0 or higher.
You can find more information about CVE-2020-10109 at the following URLs: https://know.bishopfox.com/advisories and https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/