PT-2019-5686 · Twisted+6 · Twisted Web+6

Published

2019-05-12

·

Updated

2025-03-26

·

CVE-2020-10108

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Twisted Web versions prior to 20.3.0
Description The issue is related to insufficient input validation when handling HTTP headers, which can lead to an HTTP request splitting vulnerability. When presented with two content-length headers, the first header is ignored. If the second content-length value is set to zero, the request body is interpreted as a pipelined request. This can potentially allow a remote attacker to cause a denial of service.
Recommendations For Twisted Web versions prior to 20.3.0, update to version 20.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the handling of multiple content-length headers to prevent request splitting.

Exploit

Fix

HTTP Request/Response Smuggling

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444CWE-20

Related Identifiers

AZL-6819
BDU:2020-05644
CESA-2020_1561
CESA-2020_1962
CVE-2020-10108
DLA-2145-1
DLA-2145-2
DLA-2927-1
GHSA-H96W-MMRF-2H6V
MGASA-2020-0428
OPENSUSE-SU-2024:11041-1
PYSEC-2020-259
RHSA-2020:1561
RHSA-2020:1962
RHSA-2020_1561
RHSA-2020_1962
SUSE-SU-2022:2811-1
SUSE-SU-2022:4074-1
SUSE-SU-2022_2811-1
USN-4308-1
USN-4308-2

Affected Products

Astra Linux
Centos
Red Hat
Red Os
Suse
Twisted Web
Ubuntu