Your submission was sent successfully! Close

CVE-2020-10109

Published: 12 March 2020

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Notes

AuthorNote
mdeslaur
same commit as CVE-2020-10108
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
twisted
Launchpad, Ubuntu, Debian
bionic
Released (17.9.0-2ubuntu0.1)
eoan
Released (18.9.0-3ubuntu1.1)
precise Not vulnerable
(code not present)
trusty
Released (13.2.0-1ubuntu1.2+esm1)
upstream Needs triage

xenial
Released (16.0.0-1ubuntu0.4)
Patches:
upstream: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281