PT-2019-5690 · Twisted+6 · Twisted Web+6

Jake Miller

Published

2019-05-12

Updated

2025-03-26

CVE-2020-10109

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Twisted Web versions 19.10.0 and earlier Twisted Web versions prior to 20.3.0

Description The issue is related to an HTTP request splitting vulnerability in Twisted Web. When a content-length and a chunked encoding header are present, the content-length takes precedence, and the remainder of the request body is interpreted as a pipelined request. This vulnerability is associated with insufficient input validation when processing HTTP headers, which could allow a remote attacker to cause a denial of service.

Recommendations For Twisted Web versions 19.10.0 and earlier, update to a version later than 19.10.0 to resolve the issue. For Twisted Web versions prior to 20.3.0, update to a version later than 20.3.0 to resolve the issue. As a temporary workaround, consider restricting the use of the content-length and chunked encoding headers in HTTP requests to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444CWE-20

Related Identifiers

AZL-6820

BDU:2020-05699

CESA-2020_1561

CVE-2020-10109

DLA-2145-1

DLA-2145-2

DLA-2927-1

GHSA-P5XH-VX83-MXCJ

MGASA-2020-0428

OPENSUSE-SU-2022_2822-1

OPENSUSE-SU-2024:11041-1

PYSEC-2020-260

RHSA-2020:1561

RHSA-2020_1561

SUSE-SU-2022:2811-1

SUSE-SU-2022:2822-1

SUSE-SU-2022_2822-1

USN-4308-1

USN-4308-2

Affected Products

Astra Linux

Centos

Red Hat

Red Os

Suse

Twisted Web

Ubuntu

PT-2019-5690 · Twisted+6 · Twisted Web+6

CVE-2020-10109

Weakness Enumeration

Related Identifiers

Affected Products

References · 77