Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Mageia 9 MGASA-2024-0236 Critical: Gunicorn HTTP Request Smuggling

mageia
Calendar Grey June 24, 2024
Dist Mageia Esm H88
Gunicorn's latest release tackles critical HTTP Request Smuggling issues identified in Mageia.
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities

Summary

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

References

- https://bugs.mageia.org/show_bug.cgi?id=33146

-

- https://www.cve.org/CVERecord?id=CVE-2024-1135

Resolution

SRPMS

- 9/core/python-gunicorn-22.0.0-1.mga9

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 24 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0236.html
Type: security
CVE: CVE-2024-1135

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here