Vulnerabilities > CVE-2020-10108 - HTTP Request Smuggling vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- HTTP Request Splitting HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
- HTTP Request Smuggling HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-1561.NASL description From Red Hat Security Advisory 2020:1561 : The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-24 plugin id 135958 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135958 title Oracle Linux 7 : python-twisted-web (ELSA-2020-1561) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1561 and # Oracle Linux Security Advisory ELSA-2020-1561 respectively. # include("compat.inc"); if (description) { script_id(135958); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/05"); script_cve_id("CVE-2020-10108", "CVE-2020-10109"); script_xref(name:"RHSA", value:"2020:1561"); script_name(english:"Oracle Linux 7 : python-twisted-web (ELSA-2020-1561)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2020:1561 : The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-April/009864.html" ); script_set_attribute( attribute:"solution", value:"Update the affected python-twisted-web package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-twisted-web"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-twisted-web-12.1.0-7.el7_8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-twisted-web"); }
NASL family Scientific Linux Local Security Checks NASL id SL_20200429_PYTHON_TWISTED_WEB_ON_SL6_X.NASL description Security Fix(es) : - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) last seen 2020-05-06 modified 2020-04-30 plugin id 136162 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136162 title Scientific Linux Security Update : python-twisted-web on SL6.x i386/x86_64 (20200429) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(136162); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id("CVE-2020-10108"); script_name(english:"Scientific Linux Security Update : python-twisted-web on SL6.x i386/x86_64 (20200429)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Scientific Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2004&L=SCIENTIFIC-LINUX-ERRATA&P=29819 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a42e5a08" ); script_set_attribute( attribute:"solution", value:"Update the affected python-twisted-web package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-twisted-web"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"python-twisted-web-8.2.0-6.el6_10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-twisted-web"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1561.NASL description The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-23 plugin id 135927 published 2020-04-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135927 title RHEL 7 : python-twisted-web (RHSA-2020:1561) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1561. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(135927); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24"); script_cve_id("CVE-2020-10108", "CVE-2020-10109"); script_xref(name:"RHSA", value:"2020:1561"); script_name(english:"RHEL 7 : python-twisted-web (RHSA-2020:1561)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1561"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-10108"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-10109"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1813439"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1813447"); script_set_attribute(attribute:"solution", value: "Update the affected python-twisted-web package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10109"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 444); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::computenode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-twisted-web"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'python-twisted-web-12.1.0-7.el7_8', 'cpu':'s390x', 'release':'7'}, {'reference':'python-twisted-web-12.1.0-7.el7_8', 'cpu':'x86_64', 'release':'7'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-twisted-web'); }
NASL family Scientific Linux Local Security Checks NASL id SL_20200423_PYTHON_TWISTED_WEB_ON_SL7_X.NASL description Security Fix(es) : - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) last seen 2020-04-30 modified 2020-04-24 plugin id 135960 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135960 title Scientific Linux Security Update : python-twisted-web on SL7.x x86_64 (20200423) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(135960); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/28"); script_cve_id("CVE-2020-10108", "CVE-2020-10109"); script_name(english:"Scientific Linux Security Update : python-twisted-web on SL7.x x86_64 (20200423)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Scientific Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2004&L=SCIENTIFIC-LINUX-ERRATA&P=29480 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?19eeda6c" ); script_set_attribute( attribute:"solution", value:"Update the affected python-twisted-web package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-twisted-web"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-twisted-web-12.1.0-7.el7_8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-twisted-web"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1561.NASL description The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-05-01 plugin id 136199 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136199 title CentOS 7 : python-twisted-web (CESA-2020:1561) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1561 and # CentOS Errata and Security Advisory 2020:1561 respectively. # include("compat.inc"); if (description) { script_id(136199); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/05"); script_cve_id("CVE-2020-10108", "CVE-2020-10109"); script_xref(name:"RHSA", value:"2020:1561"); script_name(english:"CentOS 7 : python-twisted-web (CESA-2020:1561)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1561 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) - python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header (CVE-2020-10109) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number." ); # https://lists.centos.org/pipermail/centos-announce/2020-April/035709.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ab56ae2e" ); script_set_attribute( attribute:"solution", value:"Update the affected python-twisted-web package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10108"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-twisted-web"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-twisted-web-12.1.0-7.el7_8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-twisted-web"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4308-1.NASL description it was discovered that Twisted incorrectly validated or sanitized certain URIs or HTTP methods. A remote attacker could use this issue to inject invalid characters and possibly perform header injection attacks. (CVE-2019-12387) It was discovered that Twisted incorrectly verified XMPP TLS certificates. A remote attacker could possibly use this issue to perform a man-in-the-middle attack and obtain sensitive information. (CVE-2019-12855) It was discovered that Twisted incorrectly handled HTTP/2 connections. A remote attacker could possibly use this issue to cause Twisted to hang or consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-9512, CVE-2019-9514, CVE-2019-9515) Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled certain content-length headers. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. (CVE-2020-10108, CVE-2020-10109). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-26 modified 2020-03-20 plugin id 134758 published 2020-03-20 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134758 title Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : twisted vulnerabilities (USN-4308-1) (Ping Flood) (Reset Flood) (Settings Flood) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-1962.NASL description From Red Hat Security Advisory 2020:1962 : The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:1962 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-30 plugin id 136161 published 2020-04-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136161 title Oracle Linux 6 : python-twisted-web (ELSA-2020-1962) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1372.NASL description In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.(CVE-2020-10108) last seen 2020-06-10 modified 2020-06-04 plugin id 137095 published 2020-06-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137095 title Amazon Linux AMI : python-twisted-web (ALAS-2020-1372) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1962.NASL description The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:1962 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-05-01 plugin id 136200 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136200 title CentOS 6 : python-twisted-web (CESA-2020:1962) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9FBAEFB3837E11EAB5B4641C67A117D8.NASL description Twisted developers reports : All HTTP clients in twisted.web.client now raise a ValueError when called with a method and/or URL that contain invalid characters. This mitigates CVE-2019-12387. Thanks to Alex Brasetvik for reporting this vulnerability. The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora. twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108, thanks to Jake Miller from Bishop Fox and ZeddYu Lu for reporting this) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109, thanks to Jake Miller from Bishop Fox for reporting this) and now fail with a 400; requests whose Transfer-Encoding header had a value other than last seen 2020-04-30 modified 2020-04-22 plugin id 135883 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135883 title FreeBSD : py-twisted -- multiple vulnerabilities (9fbaefb3-837e-11ea-b5b4-641c67a117d8) (Ping Flood) (Reset Flood) (Settings Flood) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1962.NASL description The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:1962 advisory. - python-twisted: HTTP request smuggling when presented with two Content-Length headers (CVE-2020-10108) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-03 modified 2020-04-29 plugin id 136101 published 2020-04-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136101 title RHEL 6 : python-twisted-web (RHSA-2020:1962) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1428.NASL description In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. (CVE-2020-10109) In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. (CVE-2020-10108) last seen 2020-05-31 modified 2020-05-21 plugin id 136751 published 2020-05-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136751 title Amazon Linux 2 : python-twisted-web (ALAS-2020-1428) NASL family Fedora Local Security Checks NASL id FEDORA_2020-16DC0DA400.NASL description Security fix for CVE-2020-10108 (#1813439, #1813441) Security fix for CVE-2020-10109 (#1813447, #1813449) ---- Own %{pythonX_sitelib}/twisted/plugins Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-31 modified 2020-03-26 plugin id 134920 published 2020-03-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134920 title Fedora 31 : python-twisted (2020-16dc0da400) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2145.NASL description It was discovered that there were was a regression introduced in DLA-2145-1 due to the incorrect application of the upstream patch for CVE-2020-10108 & CVE-2020-10109 regarding a number of HTTP request splitting vulnerabilities in Twisted, an Python event-based framework for building various types of internet applications. Thanks to Etienne Allovon for the detailed report. For Debian 8 last seen 2020-03-20 modified 2020-03-18 plugin id 134632 published 2020-03-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134632 title Debian DLA-2145-2 : twisted security update
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- https://know.bishopfox.com/advisories
- https://know.bishopfox.com/advisories/twisted-version-19.10.0
- https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
- https://security.gentoo.org/glsa/202007-24
- https://usn.ubuntu.com/4308-1/
- https://usn.ubuntu.com/4308-2/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://know.bishopfox.com/advisories
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://usn.ubuntu.com/4308-2/
- https://usn.ubuntu.com/4308-1/
- https://security.gentoo.org/glsa/202007-24
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html
- https://know.bishopfox.com/advisories/twisted-version-19.10.0