Do your applications use this vulnerable package?
Test your applications
Overview
gunicorn is a Python WSGI HTTP Server for UNIX
Affected versions of this package are vulnerable to Improper Input Validation. Gunicorn fails with a 500, instead of a 400, when a request path is a malformed IPv6 address. This is due to no raise 'InvalidRequestLine' exception when the line contains malicious data.
Remediation
Upgrade gunicorn
to version 19.4.0 or higher.
References
CVSS Score
3.7
low severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityLow
-
AvailabilityNone
- Credit
- Unknown
- CWE
- CWE-20
- Snyk ID
- SNYK-PYTHON-GUNICORN-1090281
- Disclosed
- 01 Apr, 2021
- Published
- 01 Apr, 2021