Vulnerability Identifier

CVE-2024-1135

2024-04-16

Severity Assessment

LOW

CVSS v3.x Score

Clinical Analysis (Description)

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Vector Sequencing

Attack Parameters

Impact Consequences

Technical Impact

Weakness Classification

CWE-CWE-444

View CWE Details ↗

Timeline

Time Line

PUBLICATION

16 Apr 2024

MODIFICATION

20 Dec 2024

FIRST PATCH

15 Jul 2025

Impact Statistics

Key Metrics

CVSS Score

LOW

Patches

Available

Remediation Protocol

Immediate Action Plan

1. Inventory

Identify all affected systems in your infrastructure.

2. Assessment

Assess exposure and criticality for your organization.

3. Mitigation

Apply patches or available workarounds.

4. Verification

Test and confirm effectiveness of applied measures.

Sources & Bibliography

NIST NVD MITRE CVE External Reference ↗ External Reference ↗ External Reference ↗ External Reference ↗ External Reference ↗

CVE Vulnerabilities

Posts & Pages