{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-19T18:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://know.bishopfox.com/advisories"}, {"tags": ["x_refsource_MISC"], "url": "https://know.bishopfox.com/advisories/twisted-version-19.10.0"}, {"name": "FEDORA-2020-2136b020f2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/"}, {"name": "FEDORA-2020-16dc0da400", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/"}, {"name": "USN-4308-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4308-1/"}, {"name": "GLSA-202007-24", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202007-24"}, {"name": "[debian-lts-announce] 20220219 [SECURITY] [DLA 2927-1] twisted security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10109", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://know.bishopfox.com/advisories", "refsource": "MISC", "url": "https://know.bishopfox.com/advisories"}, {"name": "https://know.bishopfox.com/advisories/twisted-version-19.10.0", "refsource": "MISC", "url": "https://know.bishopfox.com/advisories/twisted-version-19.10.0"}, {"name": "FEDORA-2020-2136b020f2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/"}, {"name": "FEDORA-2020-16dc0da400", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/"}, {"name": "USN-4308-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4308-1/"}, {"name": "GLSA-202007-24", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202007-24"}, {"name": "[debian-lts-announce] 20220219 [SECURITY] [DLA 2927-1] twisted security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:50:57.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://know.bishopfox.com/advisories"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://know.bishopfox.com/advisories/twisted-version-19.10.0"}, {"name": "FEDORA-2020-2136b020f2", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/"}, {"name": "FEDORA-2020-16dc0da400", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/"}, {"name": "USN-4308-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4308-2/"}, {"name": "USN-4308-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4308-1/"}, {"name": "GLSA-202007-24", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202007-24"}, {"name": "[debian-lts-announce] 20220219 [SECURITY] [DLA 2927-1] twisted security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10109", "datePublished": "2020-03-12T12:40:05", "dateReserved": "2020-03-05T00:00:00", "dateUpdated": "2024-08-04T10:50:57.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E9923FC-A0E6-499A-A75A-83E9EAAFA09A", "versionEndIncluding": "19.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request."}, {"lang": "es", "value": "En Twisted Web versiones hasta 19.10.0, se present\u00f3 una vulnerabilidad de divisi\u00f3n de petici\u00f3n HTTP. Cuando se present\u00f3 con un encabezado content-length y chunked encoding, el content-length tom\u00f3 precedencia y el resto del cuerpo de la petici\u00f3n se interpret\u00f3 como una petici\u00f3n canalizada \"pipelined\"."}], "id": "CVE-2020-10109", "lastModified": "2023-11-07T03:14:06.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-12T13:15:12.370", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://know.bishopfox.com/advisories"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://know.bishopfox.com/advisories/twisted-version-19.10.0"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202007-24"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4308-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4308-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:1561", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-twisted-web-0:12.1.0-7.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-04-23T00:00:00Z"}], "bugzilla": {"description": "python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header", "id": "1813447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1813447"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-20->CWE-444", "details": ["In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.", "A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure."], "mitigation": {"lang": "en:us", "value": "When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use."}, "name": "CVE-2020-10109", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Will not fix", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python-twisted-web", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "moderate", "package_name": "python-twisted", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "moderate", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Will not fix", "impact": "moderate", "package_name": "python-twisted", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "python-twisted-web", "product_name": "Red Hat Satellite 6"}], "public_date": "2020-03-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10109\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10109\nhttps://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst"], "statement": "Although Red Hat OpenStack Platform packages the flawed code, python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package .\nOpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used.\nRed Hat Satellite uses affected versions of `python-twisted` and `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future.\nThis issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.", "threat_severity": "Important", "upstream_fix": "twisted 20.3.0"}