GHSA-5423-JCJM-2GPV Traefik affected by Go HTTP Request Smuggling Vulnerability

Summary net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk...

Important: golang

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2025-933)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-933 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly...

Security update for python-gunicorn

This update for python-gunicorn fixes the following issues: CVE-2024-6827: Fixed improper validation of the 'Transfer-Encoding' header value can allow for HTTP request smuggling attacks bsc1239830 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like...

SUSE CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

HTTP Request Smuggling

Overview gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of the Transfer-Encoding header. An attacker can manipulate session data, poison caches, or compromise data integrity by exploiting the...

Gunicorn HTTP Request/Response Smuggling vulnerability

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

DEBIAN-CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

UBUNTU-CVE-2024-6827

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

CVE-2024-6827

CVE-2024-6827 affects Gunicorn 21.2.0 where Transfer-Encoding is not properly validated, causing fallback to Content-Length and TE.CL HTTP request smuggling. This can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, and data integrity issues. Root cause: improper vali...

CVE-2024-6827 HTTP Request Smuggling in benoitc/gunicorn

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data...

Gunicorn 环境问题漏洞

Gunicorn is a Python web server gateway interface HTTP server from the Gunicorn open source. An environment issue vulnerability exists in Gunicorn version 21.2.0 that stems from improper validation of the Transfer-Encoding header, which could lead to a request entrapment attack...

Linux Distros Unpatched Vulnerability : CVE-2024-1135

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting...

python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...

Important: ruby

Issue Overview: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's...

OESA-2024-2531 libsoup3 security update

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fixes: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some...

netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...

libsoup: HTTP request smuggling via stripping null bytes from the ends of header names

A flaw was found in the Libsoup library. When Libsoup parses HTTP headers, it ignores null bytes at the end of header names. Thus, Transfer-Encoding: chunked is equivalent to Transfer-Encoding\x00: chunked. This issue allows request smuggling when Libsoup is used in a service behind a reverse pro...