#VU26356 Inconsistent interpretation of HTTP requests in Twisted Web - CVE-2020-10109

Cybersecurity Help s.r.o.

Published: 2020-03-24

Vulnerability identifier: #VU26356

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-10109

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Twisted Web
Server applications / Web servers

Vendor: Twisted Matrix Labs

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to insufficient input validation when processing Content-length and a Chunked encoding header, sent within one HTTP request. The Content-length header took precedence and the remainder of the request body was interpreted as a pipelined request. A remote attacker can send a specially crafted HTTP request to the affected web server and poison HTTP cache or perform other attacks against web application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Twisted Web: 8.0.0 - 19.10.0

External links
https://know.bishopfox.com/advisories
https://know.bishopfox.com/advisories/twisted-version-19.10.0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for python-Twisted

Gentoo update for Twisted

CentOS 7 update for python-twisted-web

Red Hat Enterprise Linux 7 update for python-twisted-web

Multiple vulnerabilities in Twisted Web component in Synapse

Inconsistent interpretation of HTTP requests in py3-twisted (Alpine package)

Multiple vulnerabilities in Twisted Web