Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Synk:High] Gunicorn (Due 05/17/2024) #5793

Closed
1 task
tmpayton opened this issue Apr 17, 2024 · 0 comments · Fixed by #5829
Closed
1 task

[Synk:High] Gunicorn (Due 05/17/2024) #5793

tmpayton opened this issue Apr 17, 2024 · 0 comments · Fixed by #5829
Assignees
@tmpayton
Labels
Security: high Remediate within 30 days
Milestone
24.i

Comments

@tmpayton
Copy link
Contributor

Introduced through
[email protected]

Exploit maturity
PROOF OF CONCEPT

Detailed paths
Introduced through: [email protected][email protected]

Fix: No remediation path available.
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.5 - High Severity

NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
gunicorn is a Python WSGI HTTP Server for UNIX

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the improper validation of Transfer-Encoding headers. An attacker can bypass security restrictions and access restricted endpoints by crafting requests with conflicting Transfer-Encoding headers.

Notes:

This is only exploitable if users have a network path which does not filter out invalid requests;

Users are advised to block access to restricted endpoints via a firewall or other mechanism until a fix can be developed.

This issue arises from the application's incorrectly processing of requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified.

Completion Criteria

  • Upgrade Gunicorn once patched version is available
@tmpayton tmpayton added the Security: high Remediate within 30 days label Apr 17, 2024
@tmpayton tmpayton added this to the 24.i milestone Apr 17, 2024
@tmpayton tmpayton moved this to 🗄️ PI backlog in Website project Apr 17, 2024
@tmpayton tmpayton mentioned this issue Apr 17, 2024
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Apr 24, 2024
Closed
2 tasks
This was referenced May 1, 2024
Closed
Closed
@JonellaCulmer JonellaCulmer moved this from 🗄️ PI backlog to 📥 Assigned in Website project May 9, 2024
@tmpayton tmpayton mentioned this issue May 10, 2024
Merged
@github-project-automation github-project-automation bot moved this from 📥 Assigned to ✅ Done in Website project May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: high Remediate within 30 days
Projects
Website project
Status: ✅ Done
Milestone
24.i
Development

Successfully merging a pull request may close this issue.

upgrade gunicorn v22 fecgov/openFEC
1 participant
@tmpayton