Improper Input Validation Affecting python-twisted-web package, versions <0:12.1.0-7.el7_8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL7-PYTHONTWISTEDWEB-1527322
- published 26 Jul 2021
- disclosed 11 Mar 2020
How to fix?
Upgrade RHEL:7 python-twisted-web to version 0:12.1.0-7.el7_8 or higher.
This issue was patched in RHSA-2020:1561.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-twisted-web package and not the python-twisted-web package as distributed by RHEL.
See How to fix? for RHEL:7 relevant fixed versions and status.
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
References
- https://access.redhat.com/security/cve/CVE-2020-10109
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
- https://security.gentoo.org/glsa/202007-24
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/twisted-version-19.10.0
- https://access.redhat.com/errata/RHSA-2020:1561
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/