| Package | gunicorn |
|---|---|
| Version | 19.6.0-10+deb9u3 (stretch) |
| Related CVEs | CVE-2024-1135 |
Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.
For Debian 9 stretch, these problems have been fixed in version 19.6.0-10+deb9u3.
We recommend that you upgrade your gunicorn packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.