CVE-2020-10109
Severity
9.8CRITICAL
EPSS
3.5%
top 12.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 12
Latest updateMar 31
Description
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages4 packages
Also affects: Debian Linux 9.0, Fedora 31, 32, Ubuntu Linux 14.04, 16.04, 18.04, 19.10
🔴Vulnerability Details
4📋Vendor Advisories
5Red Hat▶
python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header↗2020-03-11
Microsoft▶
In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header the content-length took precedence and the remainde↗2020-03-10
Debian▶
CVE-2020-10109: twisted - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerabilit...↗2020
💬Community
4Bugzilla▶
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [fedora-all]↗2020-03-13
Bugzilla▶
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header↗2020-03-13
Bugzilla▶
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [epel-8]↗2020-03-13
Bugzilla▶
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header [openstack-rdo]↗2020-03-13