// For flags

CVE-2024-1135

HTTP Request Smuggling in benoitc/gunicorn

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Gunicorn no puede validar correctamente los encabezados Transfer-Encoding, lo que genera vulnerabilidades de contrabando de solicitudes HTTP (HRS). Al manipular solicitudes con encabezados Transfer-Encoding conflictivos, los atacantes pueden eludir las restricciones de seguridad y acceder a endpoints restringidos. Este problema se debe al manejo que hace Gunicorn de los encabezados Transfer-Encoding, donde procesa incorrectamente solicitudes con múltiples encabezados Transfer-Encoding conflictivos, tratándolos como fragmentados independientemente de la codificación final especificada. Esta vulnerabilidad permite una variedad de ataques que incluyen envenenamiento de caché, manipulación de sesiones y exposición de datos.

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks, including cache poisoning, session manipulation, and data exposure.

An updated version of Red Hat Update Infrastructure is now available. RHUI 4.11 updates Pulp to a newer upstream version, fixes several issues, and adds an enhancement. Issues addressed include HTTP request smuggling, cross site scripting, denial of service, memory exhaustion, null pointer, and remote SQL injection vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-01-31 CVE Reserved
  • 2024-04-16 CVE Published
  • 2025-02-13 CVE Updated
  • 2025-04-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Benoitc
Search vendor "Benoitc"
 Gunicorn
Search vendor "Benoitc" for product "Gunicorn"
*-
Affected
Redhat
Search vendor "Redhat"
 Ansible Automation Platform
Search vendor "Redhat" for product "Ansible Automation Platform"
*-
Affected
Redhat
Search vendor "Redhat"
 Openstack
Search vendor "Redhat" for product "Openstack"
*-
Affected
Redhat
Search vendor "Redhat"
 Satellite
Search vendor "Redhat" for product "Satellite"
*-
Affected
Redhat
Search vendor "Redhat"
 Satellite Capsule
Search vendor "Redhat" for product "Satellite Capsule"
*-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
*-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
*-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Suse
Search vendor "Suse"
 Ses
Search vendor "Suse" for product "Ses"
*-
Affected
Suse
Search vendor "Suse"
 Sle-module-public-cloud
Search vendor "Suse" for product "Sle-module-public-cloud"
*-
Affected
Suse
Search vendor "Suse"
 Sle-module-python3
Search vendor "Suse" for product "Sle-module-python3"
*-
Affected
Suse
Search vendor "Suse"
 Sle Hpc-espos
Search vendor "Suse" for product "Sle Hpc-espos"
*-
Affected
Suse
Search vendor "Suse"
 Sle Hpc-ltss
Search vendor "Suse" for product "Sle Hpc-ltss"
*-
Affected
Suse
Search vendor "Suse"
 Sle Hpc
Search vendor "Suse" for product "Sle Hpc"
*-
Affected
Suse
Search vendor "Suse"
 Sled
Search vendor "Suse" for product "Sled"
*-
Affected
Suse
Search vendor "Suse"
 Sles-ltss
Search vendor "Suse" for product "Sles-ltss"
*-
Affected
Suse
Search vendor "Suse"
 Sles
Search vendor "Suse" for product "Sles"
*-
Affected
Suse
Search vendor "Suse"
 Sles Sap
Search vendor "Suse" for product "Sles Sap"
*-
Affected
Suse
Search vendor "Suse"
 Suse-manager-proxy
Search vendor "Suse" for product "Suse-manager-proxy"
*-
Affected
Suse
Search vendor "Suse"
 Suse-manager-retail-branch-server
Search vendor "Suse" for product "Suse-manager-retail-branch-server"
*-
Affected
Suse
Search vendor "Suse"
 Suse-manager-server
Search vendor "Suse" for product "Suse-manager-server"
*-
Affected