Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
References
Configurations
No configuration.
History
30 Jun 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary |
|
16 Apr 2024, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-16 00:15
Updated : 2024-06-30 23:15
NVD link : CVE-2024-1135
Mitre link : CVE-2024-1135
CVE.ORG link : CVE-2024-1135
JSON object : View
Products Affected
No product.
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')