HTTP Request Smuggling

Affecting gunicorn package, versions [,19.10.0) || [20.0.0,20.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

gunicorn is a Python WSGI HTTP Server for UNIX

Affected versions of this package are vulnerable to HTTP Request Smuggling. It fails to properly process the Transfer-Encoding and Content-Length headers when both are present in a package request. This allows for conflicting information to be sent regarding the length of the package, which when processed by back-end servers under certain configurations would allow for malicious users to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

Remediation

Upgrade gunicorn to version 19.10.0, 20.0.1 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Austin Jones
CWE
CWE-444
Snyk ID
SNYK-PYTHON-GUNICORN-541164
Disclosed
15 Nov, 2019
Published
09 Jan, 2020