Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhui
CPEs cpe:/a:redhat:rhui:4::el8
Vendors & Products Redhat rhui

Fri, 20 Dec 2024 07:45:00 +0000

Type Values Removed Values Added
References

Fri, 20 Dec 2024 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Benoitc
Benoitc gunicorn
CPEs cpe:2.3:a:benoitc:gunicorn:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc gunicorn
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 11 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat satellite
Redhat satellite Capsule
CPEs cpe:/a:redhat:satellite:6.15::el8
cpe:/a:redhat:satellite_capsule:6.15::el8
Vendors & Products Redhat satellite
Redhat satellite Capsule

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-02-13T17:27:34.444Z

Reserved: 2024-01-31T18:15:14.296Z

Link: CVE-2024-1135

cve-icon Vulnrichment

Updated: 2024-12-20T07:02:46.961Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-16T00:15:07.797

Modified: 2024-12-20T07:15:12.590

Link: CVE-2024-1135

cve-icon Redhat

Severity : Important

Publid Date: 2024-04-15T00:00:00Z

Links: CVE-2024-1135 - Bugzilla

cve-icon OpenCVE Enrichment

No data.