CVE-2020-10108
Severity
9.8CRITICAL
EPSS
3.4%
top 12.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 12
Latest updateMar 31
Description
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages6 packages
Also affects: Debian Linux 9.0, Fedora 31, 32, Ubuntu Linux 14.04, 16.04, 18.04, 19.10
Patches
🔴Vulnerability Details
4📋Vendor Advisories
5Red Hat
▶
Microsoft▶
In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with two content-length headers it ignored the first header. When the second content-length value was s↗2020-03-10
Debian▶
CVE-2020-10108: twisted - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerabilit...↗2020
💬Community
4Bugzilla▶
CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers↗2020-03-13
Bugzilla▶
CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers [epel-8]↗2020-03-13
Bugzilla▶
CVE-2020-10108 python-twisted: HTTP request splitting when presented with two content-length headers [fedora-all]↗2020-03-13
Bugzilla▶
CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers [openstack-rdo]↗2020-03-13