The Gunicorn version in seldon-core is vulnerable to request smuggling

[justinrmiller]

Describe the bug

From CVE-2024-1135: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints.

Please see the following advisory for more details: https://github.com/advisories/GHSA-w3h3-4rj7-4ph4

Bumping the version should be sufficient to remediate the vulnerability, as outlined in this bullet point in the security policy:

• Address CVEs in project dependencies by upgrading versions where possible

I went ahead and cut this PR to try to address this and another vulnerability in the cryptography library: https://github.com/SeldonIO/seldon-core/pull/5524/files

To reproduce

N/A

Expected behaviour

seldon-core is not vulnerable to the CVE

Environment

All environments.

Model Details

N/A

[ramonpzg]

Hi @justinrmiller -- Thanks for flagging this and for opening up the PR. I will evaluate this and most-likely add this change to an adjacent PR that targets another CVE as it is only a dependency upgrade. I am looking at getting this merged in a week or so.

[justinrmiller]

Thanks @ramonpzg , let me know if I can help in any way.

[justinrmiller]

Hi @ramonpzg , any updates on this front? As part of SOC2 we ensure our Docker builds are free of vulnerabilities (CVEs) above a certain threshold and this is may eventually cause us to block a release.

[mg515]

Any progress on this? @justinrmiller @ramonpzg Security issues not a joke :<