2275280 – (CVE-2024-1135) CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

Bug 2275280 (CVE-2024-1135) - CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

Summary: CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validat...

Keywords:
Status:	NEW
Alias:	CVE-2024-1135
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2275348 2275349 2275350 2275351 2275352 2275353 2275354 2275355 2275356 2277405 2277406 2277407 2277408 2275357 2275358
Blocks:	2275366
TreeView+	depends on / blocked

Reported:	2024-04-16 12:32 UTC by Mauro Matteo Cascella
Modified:	2024-04-26 20:11 UTC (History)
CC List:	59 users (show)
Fixed In Version:	gunicorn 22.0.0
Doc Type:	---
Doc Text:	An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks, including cache poisoning, session manipulation, and data exposure.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2024-04-16 12:32:26 UTC

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Huntr security advisory:
https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1

Comment 1 Mauro Matteo Cascella 2024-04-16 12:37:23 UTC

Upstream fix:
https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d

Comment 2 Mauro Matteo Cascella 2024-04-16 20:37:55 UTC

Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2275349]


Created python-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275350]
Affects: fedora-all [bug 2275348]


Created python3-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275351]

Note You need to log in before you can comment on or make changes to this bug.

aarif
adudiak
aprice
bbuckingham
bcourt
bdettelb
caswilli
davidn
dfreiber
drow
eglynn
ehelms
epacific
gtanzill
hkataria
jburrell
jcammara
jhardy
jjoyce
jmitchel
jneedle
jobarker
jsamir
jschluet
jsherril
jtanner
kaycoth
kholdawa
kshier
lhh
lsvaty
lzap
mabashia
mburns
mgarciac
mhulan
mminar
mpierce
njohnston
nmoumoul
omaciel
orabin
osapryki
pcreech
pgrist
psegedy
rbiba
rchan
sidakwo
simaishi
smcdonal
sskracic
stcannon
sthirugn
teagle
vkrizan
vkumar
yguenane
zsadeh