Description

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

INFO

Published Date :

2024-04-16T00:00:14.938Z

Last Modified :

2025-02-13T17:27:34.444Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-1135 vulnerability.

Vendors Products
Benoitc
  • Gunicorn
Redhat
  • Ansible Automation Platform
  • Openshift
  • Openstack
  • Rhui
  • Satellite
  • Satellite Capsule

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact