vulnerability
Oracle Linux: CVE-2020-10109: ELSA-2020-1561: python-twisted-web security update (IMPORTANT) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | 2020-03-11 | 2022-04-28 | 2025-01-07 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
2020-03-11
Added
2022-04-28
Modified
2025-01-07
Description
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
Solution(s)
oracle-linux-upgrade-ol-automation-manageroracle-linux-upgrade-ol-automation-manager-clioracle-linux-upgrade-python3-olamkitoracle-linux-upgrade-python-twisted-web
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.