PyPI: gunicorn
CVE-2024-1135
Safety vulnerability ID: SFTY-20240416-77714
Safety legacy ID: pyup.io-71600
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
Overview
Request smuggling leading to endpoint restriction bypass in Gunicorn
Advisory
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240416-77714/CVE-2024-1135
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1135
- https://github.com/benoitc/gunicorn/commit/0d32ab1356bd178925d15ba52df91daedfac2aad
- https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
- https://github.com/benoitc/gunicorn/releases/tag/23.0.0
- https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
- https://nvd.nist.gov/vuln/detail/CVE-2024-1135
- https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
- https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
- https://github.com/benoitc/gunicorn/releases/tag/22.0.0
- https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html
- https://github.com/benoitc/gunicorn/issues/3091
- https://github.com/benoitc/gunicorn/pull/3113
- https://github.com/advisories/GHSA-w3h3-4rj7-4ph4
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more