CVE-2020-10108 — CRITICAL (9.8)

Q: How severe is CVE-2020-10108?

CVE-2020-10108 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-10108?

Check the references section above for vendor advisories and patch information. Affected products include: Twisted Twisted, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Oracle Zfs Storage Appliance Kit.

Vulnerability Description

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Twisted	Twisted	<= 19.10.0
Fedoraproject	Fedora	31
Debian	Debian Linux	9.0
Canonical	Ubuntu Linux	14.04
Oracle	Zfs Storage Appliance Kit	8.8
Oracle	Solaris	10

Related Weaknesses (CWE)

CWE-444

References

https://know.bishopfox.com/advisoriesExploitThird Party Advisory
https://know.bishopfox.com/advisories/twisted-version-19.10.0Release NotesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-24Third Party Advisory
https://usn.ubuntu.com/4308-1/Third Party Advisory
https://usn.ubuntu.com/4308-2/Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
https://know.bishopfox.com/advisoriesExploitThird Party Advisory
https://know.bishopfox.com/advisories/twisted-version-19.10.0Release NotesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202007-24Third Party Advisory

FAQ

What is CVE-2020-10108?

CVE-2020-10108 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was...

How severe is CVE-2020-10108?

CVE-2020-10108 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-10108?

Check the references section above for vendor advisories and patch information. Affected products include: Twisted Twisted, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Oracle Zfs Storage Appliance Kit.