<p>Upgrade <code>Wolfi</code> <code>reflex</code> to version 0.4.9-r0 or higher.</p>

CVE-2024-1135 Affecting reflex package, versions <0.4.9-r0

Snyk CVSS

NVD CVSS Score is not yet available. When available we recommend using the distro's own rating score.

Threat Intelligence

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-WOLFILATEST-REFLEX-6811545
published 7 May 2024
disclosed 16 Apr 2024

Report a new vulnerability Found a mistake?

Introduced: 16 Apr 2024

CVE-2024-1135 Open this link in a new tab

How to fix?

Upgrade Wolfi reflex to version 0.4.9-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream reflex package and not the reflex package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

References

https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1