[GHSA-hc5x-x2vx-497g] Gunicorn HTTP Request/Response Smuggling vulnerability#6224
Conversation
|
Hi @xzpjerry, I had to do quite a bit of reading to clarify the difference between https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7 (where the |
d319308
into
xzpjerry/advisory-improvement-6224
|
Hi @xzpjerry! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Gunicorn 22.0.0 already contains the fixes that mitigate the vulnerability described in CVE-2024-6827. The changelog for 22.0.0 explicitly notes that “numerous security vulnerabilities in the HTTP parser (closing some request smuggling vectors)” were addressed, including rejecting requests with both Transfer-Encoding and Content-Length headers and refusing unsupported or empty transfer codings. These changes eliminate the TE.CL request smuggling vector that CVE-2024-6827 is based on. The relevant fixes were merged before the 22.0.0 release (e.g. benoitc/gunicorn#3113), and the release notes confirm their inclusion. Therefore, the correct affected range is <22.0.0, not <23.0.0.