Bug 2275280 (CVE-2024-1135) - CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers
Summary: CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validat...
Keywords:
Status: NEW
Alias: CVE-2024-1135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2275349 2275351 2275348 2275350 2275352 2275353 2275354 2275355 2275356 2275357 2275358 2277405 2277406 2277407 2277408 2279609
Blocks: 2275366
TreeView+ depends on / blocked
 
Reported: 2024-04-16 12:32 UTC by Mauro Matteo Cascella
Modified: 2025-04-01 08:28 UTC (History)
58 users (show)

Fixed In Version: gunicorn 22.0.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2727 0 None None None 2024-05-22 20:43:05 UTC
Red Hat Product Errata RHSA-2024:2875 0 None None None 2024-05-23 18:11:31 UTC
Red Hat Product Errata RHSA-2024:3327 0 None None None 2024-05-29 15:42:22 UTC
Red Hat Product Errata RHSA-2024:3331 0 None None None 2024-05-30 00:39:08 UTC
Red Hat Product Errata RHSA-2024:3713 0 None None None 2024-06-12 04:03:33 UTC
Red Hat Product Errata RHSA-2024:3781 0 None None None 2024-06-10 18:37:48 UTC
Red Hat Product Errata RHSA-2024:4054 0 None None None 2024-06-24 01:04:06 UTC
Red Hat Product Errata RHSA-2024:7987 0 None None None 2024-10-10 20:28:55 UTC
Red Hat Product Errata RHSA-2025:1335 0 None None None 2025-02-12 00:09:11 UTC

Description Mauro Matteo Cascella 2024-04-16 12:32:26 UTC 
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Huntr security advisory:
https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
Comment 1 Mauro Matteo Cascella 2024-04-16 12:37:23 UTC 
Upstream fix:
https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
Comment 2 Mauro Matteo Cascella 2024-04-16 20:37:55 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2275349]


Created python-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275350]
Affects: fedora-all [bug 2275348]


Created python3-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275351]
Comment 8 errata-xmlrpc 2024-05-22 20:43:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2727 https://access.redhat.com/errata/RHSA-2024:2727
Comment 9 errata-xmlrpc 2024-05-23 18:11:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2875 https://access.redhat.com/errata/RHSA-2024:2875
Comment 10 errata-xmlrpc 2024-05-29 15:42:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:3327 https://access.redhat.com/errata/RHSA-2024:3327
Comment 11 errata-xmlrpc 2024-05-30 00:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:3331 https://access.redhat.com/errata/RHSA-2024:3331
Comment 12 errata-xmlrpc 2024-06-10 18:37:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 13 errata-xmlrpc 2024-06-12 04:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3713 https://access.redhat.com/errata/RHSA-2024:3713
Comment 14 errata-xmlrpc 2024-06-24 01:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:4054 https://access.redhat.com/errata/RHSA-2024:4054
Comment 16 errata-xmlrpc 2024-10-10 20:28:51 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987
Comment 17 errata-xmlrpc 2025-02-12 00:09:07 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
Note You need to log in before you can comment on or make changes to this bug.