Fabre

#1100989 gunicorn: CVE-2024-6827 #1100989

Package:: src:gunicorn

Source:: src:gunicorn

Submitter:: Moritz Mühlenhoff

Date:: 2025-03-21 16:09:02 UTC

Severity:: normal

Tags:

#1100989#5

Date:: 2025-03-21 13:23:16 UTC

From:

To:

Hi,

The following vulnerability was published for gunicorn.

CVE-2024-6827[0]:
| Gunicorn version 21.2.0 does not properly validate the value of the
| 'Transfer-Encoding' header as specified in the RFC standards, which
| leads to the default fallback method of 'Content-Length,' making it
| vulnerable to TE.CL request smuggling. This vulnerability can lead
| to cache poisoning, data exposure, session manipulation, SSRF, XSS,
| DoS, data integrity compromise, security bypass, information
| leakage, and business logic abuse.

https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6827
https://www.cve.org/CVERecord?id=CVE-2024-6827

Please adjust the affected versions in the BTS as needed.

#1100989 gunicorn: CVE-2024-6827 #1100989

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)