Bug 1813439 (CVE-2020-10108) - CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers
Summary: CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two...
Alias: CVE-2020-10108
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1813440 1813441 1813442 1818675 1818676 1818680 1819267 1819268 1819269 1821412 1821413 1821414 1823598 1825803
Blocks: 1813453
TreeView+ depends on / blocked
Reported: 2020-03-13 19:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
34 users (show)

Fixed In Version: twisted 20.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests, accepting requests with more than one Content-Length header. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
Clone Of:
Last Closed: 2020-04-23 16:31:46 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1561 0 None None None 2020-04-23 14:12:12 UTC
Red Hat Product Errata RHSA-2020:1962 0 None None None 2020-04-29 09:46:03 UTC

Description Guilherme de Almeida Suckevicz 2020-03-13 19:57:29 UTC
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.


Comment 1 Guilherme de Almeida Suckevicz 2020-03-13 19:58:00 UTC
Created python-twisted tracking bugs for this issue:

Affects: epel-8 [bug 1813442]
Affects: fedora-all [bug 1813441]
Affects: openstack-rdo [bug 1813440]

Comment 2 Summer Long 2020-03-24 04:50:09 UTC
External References:


Comment 6 Riccardo Schirone 2020-03-30 14:41:36 UTC
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.

Comment 8 Riccardo Schirone 2020-03-30 15:21:52 UTC
Function headerReceived() in http.py does not check whether a previous Content-Length header was already parsed, so when an attacker specifies two times the Content-Length, only the last one would be considered. However this is not the right behaviour according to RFC7230, so it can result in an HTTP request smuggling attack in case a proxy/firewall or another not-vulnerable component is placed before/after twisted.

Comment 10 Riccardo Schirone 2020-03-31 15:10:31 UTC
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.

Comment 11 Riccardo Schirone 2020-03-31 15:16:21 UTC
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.

Comment 12 Riccardo Schirone 2020-03-31 15:19:58 UTC

When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.

Comment 24 errata-xmlrpc 2020-04-23 14:12:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561

Comment 25 Product Security DevOps Team 2020-04-23 16:31:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 26 errata-xmlrpc 2020-04-29 09:45:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1962 https://access.redhat.com/errata/RHSA-2020:1962

Comment 27 Summer Long 2020-12-18 01:47:13 UTC

OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used.

Red Hat OpenStack Platform packages the flawed code, however python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package.

Red Hat Satellite uses affected versions of `python-twisted` and  `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future.

This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.

Note You need to log in before you can comment on or make changes to this bug.