CVE-2020-10108 – CVE-2020-10108 is an HTTP request splitting vul... (How to Fix)

📋 TL;DR

CVE-2020-10108 is an HTTP request splitting vulnerability in Twisted Web that allows attackers to bypass security controls by sending HTTP requests with multiple Content-Length headers. When the second header is set to zero, the request body is interpreted as a new pipelined request, potentially enabling request smuggling, cache poisoning, or authentication bypass. This affects any system running Twisted Web versions through 19.10.0.

💻 Affected Systems

Products:

Twisted Web

Versions: Versions through 19.10.0

Operating Systems: All platforms running Twisted Web

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Twisted Web's HTTP server functionality is vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform HTTP request smuggling to poison web caches, bypass authentication, hijack user sessions, or conduct cross-site scripting attacks against users.

🟠

Likely Case

Request smuggling leading to cache poisoning or authentication bypass against vulnerable applications.

🟢

If Mitigated

Limited impact if proper WAF/IPS filtering blocks malformed HTTP requests with multiple Content-Length headers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Twisted 20.3.0 and later

Vendor Advisory: https://twistedmatrix.com/trac/ticket/9906

Restart Required: Yes

Instructions:

1. Upgrade Twisted to version 20.3.0 or later using pip: pip install --upgrade twisted>=20.3.0
2. Restart all services using Twisted Web
3. Verify the fix by checking the installed version

🔧 Temporary Workarounds

WAF/IPS Filtering

all

Configure web application firewalls or intrusion prevention systems to block HTTP requests containing multiple Content-Length headers.

Reverse Proxy Validation

all

Configure reverse proxies (nginx, Apache, HAProxy) to normalize or reject requests with multiple Content-Length headers before they reach Twisted.

🧯 If You Can't Patch

Implement strict HTTP request validation at the network perimeter to reject requests with multiple Content-Length headers.
Isolate vulnerable systems behind reverse proxies that sanitize HTTP requests before forwarding to Twisted.

🔍 How to Verify

Check if Vulnerable:

Check if Twisted version is 19.10.0 or earlier by examining package version or running: python -c "import twisted; print(twisted.__version__)"

Check Version:

python -c "import twisted; print('Twisted version:', twisted.__version__)"

Verify Fix Applied:

After patching, verify version is 20.3.0 or later and test with HTTP requests containing multiple Content-Length headers to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with multiple Content-Length headers in access logs
Unusual HTTP 400/413 responses indicating malformed requests

Network Indicators:

HTTP traffic with duplicate Content-Length headers
Requests where Content-Length: 0 appears after another Content-Length header

SIEM Query:

http.headers:"Content-Length" AND count(http.headers) > 1

📊 Metadata

CVE ID: CVE-2020-10108

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-444

Published: March 12, 2020

Last Updated: November 25, 2024

🔗 References

https://know.bishopfox.com/advisories Exploit,Third Party Advisory
https://know.bishopfox.com/advisories/twisted-version-19.10.0 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
https://security.gentoo.org/glsa/202007-24 Third Party Advisory
https://usn.ubuntu.com/4308-1/ Third Party Advisory
https://usn.ubuntu.com/4308-2/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory
https://know.bishopfox.com/advisories Exploit,Third Party Advisory
https://know.bishopfox.com/advisories/twisted-version-19.10.0 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/02/msg00021.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ISMZFZBWW4EV6ETJGXAYIXN3AT7GBPL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3NIL7VXSGJND2Q4BSXM3CFTAFU6T7D/
https://security.gentoo.org/glsa/202007-24 Third Party Advisory
https://usn.ubuntu.com/4308-1/ Third Party Advisory
https://usn.ubuntu.com/4308-2/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10108, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Solaris by Oracle

Solaris by Oracle

Twisted by Twisted

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

WAF/IPS Filtering

Reverse Proxy Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities