CVE-2020-10109
published 2020-03-12CVE-2020-10109: In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.30%
87.0th percentile
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | twisted | < twisted 18.9.0-7 (bookworm) | twisted 18.9.0-7 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_python-twisted_22.2.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_python-twisted_20.3.0-1_on_cbl_mariner_1.0 | — | — |
| twisted | twisted | <= 19.10.0 | — |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 18.9.0-7 | 18.9.0-7 |
| twisted | twisted | >= 0 < 20.3.0 | 20.3.0 |
| twisted | twisted | >= 0 < 16.0.0-1ubuntu0.4 | 16.0.0-1ubuntu0.4 |
| twisted | twisted | >= 0 < 17.9.0-2ubuntu0.1 | 17.9.0-2ubuntu0.1 |
| twisted | twisted | >= 0 < 13.2.0-1ubuntu1.2+esm1 | 13.2.0-1ubuntu1.2+esm1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2020-03-30·CVSS 6.1
CVE-2019-12387 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
USN-4308-1 fixed several vulnerabilities in Twisted. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled
certain content-length headers. A remote atta
Ubuntu
Twisted vulnerabilities
vendor_ubuntu·2020-03-19·CVSS 6.1
CVE-2019-12387 [MEDIUM] Twisted vulnerabilities
Title: Twisted vulnerabilities
Summary: Several security issues were fixed in Twisted.
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
It was discovered that Twisted incorrectly handled HTTP/2 connections. A
remote attacker could possibly use this issue to cause Twisted to hang or
consume resources, leading to a denial of service. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-20
Red Hat
python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
vendor_redhat·2020-03-11·CVSS 9.8
CVE-2020-10109 [CRITICAL] CWE-20 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack
Microsoft
In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header the content-length took precedence and the remainde
vendor_msrc·2020-03-10·CVSS 9.8
CVE-2020-10109 [CRITICAL] CWE-444 In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header the content-length took precedence and the remainde
In Twisted Web through 19.10.0 there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If im
Debian
CVE-2020-10109: twisted - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerabilit...
vendor_debian·2020·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109: twisted - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerabilit...
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Scope: local
bookworm: resolved (fixed in 18.9.0-7)
bullseye: resolved (fixed in 18.9.0-7)
forky: resolved (fixed in 18.9.0-7)
sid: resolved (fixed in 18.9.0-7)
trixie: resolved (fixed in 18.9.0-7)
OSV
HTTP Request Smuggling in Twisted
osv·2020-03-31
CVE-2020-10109 [CRITICAL] HTTP Request Smuggling in Twisted
HTTP Request Smuggling in Twisted
In Twisted Web through 20.3.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
GHSA
HTTP Request Smuggling in Twisted
ghsa·2020-03-31
CVE-2020-10109 [CRITICAL] CWE-444 HTTP Request Smuggling in Twisted
HTTP Request Smuggling in Twisted
In Twisted Web through 20.3.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
OSV
twisted vulnerabilities
osv·2020-03-30·CVSS 6.1
CVE-2019-12387 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
USN-4308-1 fixed several vulnerabilities in Twisted. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled
certain content-length headers. A remote attacker could possibly use this
issue to perform HTTP request split
OSV
twisted vulnerabilities
osv·2020-03-19·CVSS 6.1
CVE-2019-12387 [MEDIUM] twisted vulnerabilities
twisted vulnerabilities
it was discovered that Twisted incorrectly validated or sanitized certain
URIs or HTTP methods. A remote attacker could use this issue to inject
invalid characters and possibly perform header injection attacks.
(CVE-2019-12387)
It was discovered that Twisted incorrectly verified XMPP TLS certificates.
A remote attacker could possibly use this issue to perform a
machine-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)
It was discovered that Twisted incorrectly handled HTTP/2 connections. A
remote attacker could possibly use this issue to cause Twisted to hang or
consume resources, leading to a denial of service. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-9512, CVE-2019-9514,
CVE-2019-9515)
Jake Miller and ZeddYu L
OSV
CVE-2020-10109: In Twisted Web through 19
osv·2020-03-12·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109: In Twisted Web through 19
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [fedora-all]
bugzilla·2020-03-13·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [fedora-all]
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messag
Bugzilla
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
bugzilla·2020-03-13·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
Reference:
https://know.bishopfox.com/advisories/twisted-version-19.10.0
Discussion:
Created python-twisted tracking bugs for this issue:
Affects: epel-8 [bug 1813450]
Affects: fedora-all [bug 1813449]
Affects: openstack-rdo [bug 1813448]
---
External References:
https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst
---
Upstream commit: https://github.com/twisted/twisted/commit/4a7d2
Bugzilla
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [epel-8]
bugzilla·2020-03-13·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [epel-8]
CVE-2020-10109 python-twisted: HTTP request splitting when presented with a content-length and a chunked encoding header [epel-8]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-8.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Dis
Bugzilla
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header [openstack-rdo]
bugzilla·2020-03-13·CVSS 9.8
CVE-2020-10109 [CRITICAL] CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header [openstack-rdo]
CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpk
https://know.bishopfox.com/advisorieshttps://know.bishopfox.com/advisories/twisted-version-19.10.0https://lists.debian.org/debian-lts-announce/2022/02/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/https://security.gentoo.org/glsa/202007-24https://usn.ubuntu.com/4308-1/https://usn.ubuntu.com/4308-2/https://know.bishopfox.com/advisorieshttps://know.bishopfox.com/advisories/twisted-version-19.10.0https://lists.debian.org/debian-lts-announce/2022/02/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/https://security.gentoo.org/glsa/202007-24https://usn.ubuntu.com/4308-1/https://usn.ubuntu.com/4308-2/
2020-03-12
Published