CVE-2020-10109

Published: 12 March 2020

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
twisted
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (17.9.0-2ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (16.0.0-1ubuntu0.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (13.2.0-1ubuntu1.2+esm1)
Patches:
Upstream: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281