Security Bulletin: HTTP request smuggling vulnerability in IBM Business Automation Workflow Machine Learning Server CVE-2024-1135

Summary In addition to updates to operating system level packages, IBM Business Automation Workflow Machine Learning Server 23.0.2-IF003 addresses the following vulnerability CVE-2024-1135. Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling,...

python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...

GHSA-753J-MPMX-QQ6G Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado

Summary When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this. PoC 0. Install Tornado. 1. Start a simple Tornado server that echoes...

Security Bulletin: Gunicorn-20.1.0-py3-none-any.whl is vulnerable to CVE-2024-1135 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses Gunicorn-20.1.0-py3-none-any.whl which is vulnerable to CVE-2024-1135 Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding...

RHEL 6 : nutch (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jetty: Incorrect header handling CVE-2017-7658 - In Eclipse Jetty, versions 9.2.x and older, 9.3.x all...

ROS-20240603-04

Vulnerability of modproxy module of Apache HTTP Server web server is related to failure to take measures to process CRLF sequences in HTTP headers. CRLF sequences in HTTP headers. Exploitation of the vulnerability could allow an attacker, acting remotely to perform HTTP response splitting attacks...

python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...

Important: Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 (python-gunicorn) security update

An update for python-gunicorn is now available for Red Hat OpenStack Platform 17.1 Wallaby. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

RHEL 9 : Red Hat OpenStack Platform 17.1 (python-gunicorn) (RHSA-2024:2727)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:2727 advisory. Gunicorn Green Unicorn is a Python WSGI HTTP server for UNIX Security Fixes: HTTP Request Smuggling due to improper validation of Transfer-Encoding...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-gunicorn (SUSE-SU-2024:1440-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:1440-1 advisory. - Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS...

Fedora 40 : rubygem-puma (2024-c393b8b2fb)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-c393b8b2fb advisory. Automatic update for rubygem-puma-6.4.2-1.fc40. Changelog Tue Jan 9 2024 Vt Ondruch - 6.4.2-1 - Update to Puma 6.4.2. Resolves: rhbz2134670 Resolves...

rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies

A flaw was found in Puma rubygem. Versions prior 6.4.2 are susceptible to a HTTP smuggling attack when parsing chunked transfer encoding bodies on HTTP messages, which don't limit the size of the message chunk extensions. This issue may lead to uncontrolled resource consumption, possibly resultin...

SUSE CVE-2024-1135

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

Gunicorn < 22.0.0 HTTP Request Smuggling Vulnerability

Gunicorn is prone to a HTTP request smuggling vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:gunicorn:gunicorn"; ...

CVE-2024-1135

An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly...

HTTP Request Smuggling (HRS)

gunicorn is vulnerable to HTTP Request Smuggling HRS. The vulnerability is due to improper processing of Transfer-Encoding headers by treating them as chunked regardless of the specified encoding , which allows attackers to bypass security restrictions and access restricted endpoints by crafting...

GHSA-W3H3-4RJ7-4PH4 Request smuggling leading to endpoint restriction bypass in Gunicorn

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

Request smuggling leading to endpoint restriction bypass in Gunicorn

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

CVE-2024-1135

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

DEBIAN-CVE-2024-1135

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...