Eine Sicherheitslücke in TwistedWeb bis einschl. Version 19.10.0 erlaubt das Einschleusen von Befehlen (Remote Code Execution).
Der Webserver ist embedded in vielen Devices zu finden, u.a. Synology NAS
Wir empfehlen dringend, Patches einzuspielen oder entsprechende Installationen vom Internet zu trennen.
[+] CVE is new CVE-2020-10109 : 9.8 : CRITICAL
Vendors : twistedmatrix
Products : twisted
Vector : NETWORK
Desc : In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
CVSS :
'confidentialityImpact': 'HIGH',
'privilegesRequired': 'NONE',
'baseSeverity': 'CRITICAL',
'baseScore': 9.8,
'availabilityImpact': 'HIGH',
'integrityImpact': 'HIGH',
'attackVector': 'NETWORK',
'userInteraction': 'NONE',
'attackComplexity': 'LOW'
Referenzen
Fragen? Kontakt: info@zero.bs