CVE-2024-1135 – Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request …

16 April 2024

Vuln ID: CVE-2024-1135

Published: 2024-04-16 00:15:07.797

Description: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Base Score: –

Vector:

Source: NVD.NIST.GOV

Date:

16 April 2024

Categorie(s):

NVD

Tag(s):

NVD

UK outlaws awful default passwords on connected devices29 April 2024
Account compromise of “unprecedented scale” uses everyday home devices29 April 2024
Connected devices with awful default passwords now illegal in UK29 April 2024
Chrome users report broken connections after Chrome 124 release29 April 2024
Impact of cybersecurity organizational structure on ransomware outcomes: The most successful models29 April 2024