CVE-2020-10109

Exploit

EPSS 2.52%
Veröffentlicht 12.03.2020 13:15:12
Zuletzt bearbeitet 25.11.2024 18:12:24
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Twisted ≫ Twisted Version <= 19.10.0

Fedoraproject ≫ Fedora Version31

Fedoraproject ≫ Fedora Version32

Debian ≫ Debian Linux Version9.0

Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.52%	0.849

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://usn.ubuntu.com/4308-1/

Third Party Advisory

https://usn.ubuntu.com/4308-2/

Third Party Advisory

https://know.bishopfox.com/advisories

Third Party Advisory

Exploit

https://know.bishopfox.com/advisories/twisted-version-19.10.0

Third Party Advisory

Release Notes

https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html

Third Party Advisory