CVE-2020-10109: 
Python vulnerability analysis and mitigation

In Twisted Web through version 19.10.0, an HTTP request splitting vulnerability was identified. The vulnerability (CVE-2020-10109) was discovered when the application incorrectly handled requests containing both content-length and chunked encoding headers. The vulnerability affected the Twisted framework, which is a Python event-based networking engine used for internet applications (CVE Database, Ubuntu Security).

When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. According to RFC 7230 Section 3.3.3#3, if a message with both content-length and chunked encoding is accepted, transfer-encoding should override the content-length. The vulnerability has been assigned a CVSS 3.1 base score of 9.8 (Critical), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and impact levels (confidentiality, integrity, availability) all rated as High (Bishop Fox Advisory).

Request smuggling vulnerabilities are considered high-risk and can lead to various security issues including cache poisoning, session hijacking via socket poisoning, and security filter bypasses. The actual impact varies depending on where and how Twisted is deployed in a given environment and the business purpose of the service designed with Twisted (Bishop Fox Advisory).

The vulnerability was fixed in Twisted version 20.3.0rc1, released on March 9, 2020. Users are advised to upgrade to this version or later to address the security issue. Various Linux distributions have also released security updates to address this vulnerability, including Ubuntu, Fedora, and Gentoo (Gentoo Security, Ubuntu Security Notice).