Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
Metrics
Affected Vendors & Products
References
History
Fri, 20 Dec 2024 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Fri, 20 Dec 2024 07:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Benoitc
Benoitc gunicorn |
|
CPEs | cpe:2.3:a:benoitc:gunicorn:*:*:*:*:*:*:*:* | |
Vendors & Products |
Benoitc
Benoitc gunicorn |
|
Metrics |
ssvc
|
Fri, 11 Oct 2024 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat satellite
Redhat satellite Capsule |
|
CPEs | cpe:/a:redhat:satellite:6.15::el8 cpe:/a:redhat:satellite_capsule:6.15::el8 |
|
Vendors & Products |
Redhat satellite
Redhat satellite Capsule |
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-04-16T00:00:14.938Z
Updated: 2024-12-20T07:02:46.961Z
Reserved: 2024-01-31T18:15:14.296Z
Link: CVE-2024-1135
Vulnrichment
Updated: 2024-12-20T07:02:46.961Z
NVD
Status : Awaiting Analysis
Published: 2024-04-16T00:15:07.797
Modified: 2024-12-20T07:15:12.590
Link: CVE-2024-1135
Redhat