vulnerability

Oracle Linux: CVE-2020-10108: ELSA-2020-1561: python-twisted-web security update (IMPORTANT) (Multiple Advisories)

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Mar 11, 2020
Added
Apr 30, 2020
Modified
Dec 3, 2025

Description

In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests, accepting requests with more than one Content-Length header. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.

Solutions

oracle-linux-upgrade-ol-automation-manageroracle-linux-upgrade-ol-automation-manager-clioracle-linux-upgrade-python3-olamkitoracle-linux-upgrade-python-twisted-web

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today