CVE-2020-10108: 
Python vulnerability analysis and mitigation

In Twisted Web through version 19.10.0, a critical HTTP request splitting vulnerability was discovered. When presented with two content-length headers, the application ignored the first header and when the second content-length value was set to zero, the request body was interpreted as a pipelined request (Bishop Fox Advisory, NVD). The vulnerability was assigned CVE-2020-10108 with a CVSS v3.1 base score of 9.8 (CRITICAL).

The vulnerability stems from deviations from RFC 7230 (HTTP/1.1: Message Syntax and Routing). According to RFC 7230 Section 3.3.3#4, if a message is received with multiple content-length headers with differing values, the server must reject the message with a 400 response. However, Twisted Web failed to implement this requirement, instead ignoring the first content-length header and processing the second one, which could lead to request smuggling when the second content-length was set to zero (Bishop Fox Advisory).

Request smuggling vulnerabilities are considered high-risk and can lead to various severe outcomes, including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. The actual impact varies depending on where and how Twisted is deployed in a given environment and the business purpose of the service designed with Twisted (Bishop Fox Advisory).

The vulnerability was patched in Twisted version 20.3.0rc1, released on March 9, 2020. Users are strongly advised to upgrade to this version or later to address the security issue. Multiple Linux distributions have also released security updates to address this vulnerability, including Ubuntu, Debian, and Fedora (Ubuntu Advisory, Debian Advisory, Fedora Update).