Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
CVE-2024-1135 - High Severity Vulnerability
gunicorn-20.0.4-py2.py3-none-any.whl
WSGI HTTP Server for UNIX
Library home page: https://files.pythonhosted.org/packages/69/ca/926f7cd3a2014b16870086b2d0fdc84a9e49473c68a8dff8b57f7c156f43/gunicorn-20.0.4-py2.py3-none-any.whl
Path to dependency file: /ReactPython1/ReactPython1/PythonBackendPractice/test1/requirements.txt
Path to vulnerable library: /ReactPython1/ReactPython1/PythonBackendPractice/test1/requirements.txt
Dependency Hierarchy: - :x: **gunicorn-20.0.4-py2.py3-none-any.whl** (Vulnerable Library)
gunicorn-20.1.0-py3-none-any.whl
WSGI HTTP Server for UNIX
Library home page: https://files.pythonhosted.org/packages/e4/dd/5b190393e6066286773a67dfcc2f9492058e9b57c4867a95f1ba5caf0a83/gunicorn-20.1.0-py3-none-any.whl
Path to dependency file: /ReactPython1/requirements.txt
Path to vulnerable library: /ReactPython1/requirements.txt
Dependency Hierarchy: - :x: **gunicorn-20.1.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 6d107a6688bc22c52eeb62e12abbb00206f7105f
Found in base branch: master
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
Publish Date: 2024-04-16
URL: CVE-2024-1135
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-1135
Release Date: 2024-04-16
Fix Resolution: gunicorn - 20.0.1
Step up your Open Source Security Game with Mend here