Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
History

Fri, 20 Dec 2024 07:45:00 +0000

Type Values Removed Values Added
References

Fri, 20 Dec 2024 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Benoitc
Benoitc gunicorn
CPEs cpe:2.3:a:benoitc:gunicorn:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc gunicorn
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 11 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite
Redhat satellite Capsule
CPEs cpe:/a:redhat:satellite:6.15::el8
cpe:/a:redhat:satellite_capsule:6.15::el8
Vendors & Products Redhat satellite
Redhat satellite Capsule

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-16T00:00:14.938Z

Updated: 2024-12-20T07:02:46.961Z

Reserved: 2024-01-31T18:15:14.296Z

Link: CVE-2024-1135

cve-icon Vulnrichment

Updated: 2024-12-20T07:02:46.961Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-16T00:15:07.797

Modified: 2024-12-20T07:15:12.590

Link: CVE-2024-1135

cve-icon Redhat

Severity : Important

Publid Date: 2024-04-15T00:00:00Z

Links: CVE-2024-1135 - Bugzilla