CVE-2024-1135
📋 TL;DR
Gunicorn web servers are vulnerable to HTTP Request Smuggling attacks due to improper validation of Transfer-Encoding headers. Attackers can craft requests with conflicting headers to bypass security controls and access restricted endpoints. This affects all deployments using vulnerable Gunicorn versions.
💻 Affected Systems
- Gunicorn
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison caches, hijack user sessions, bypass authentication, access sensitive data, and perform web cache deception attacks leading to data exposure and account compromise.
Likely Case
Attackers bypass security filters to access restricted endpoints, potentially exposing internal APIs or administrative interfaces that should be protected.
If Mitigated
With proper network segmentation and WAF protection, impact is limited to potential cache poisoning and minor information disclosure.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with conflicting Transfer-Encoding headers. Public proof-of-concept code is available in the huntr.com bounty reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.0.0 and later
Vendor Advisory: https://github.com/benoitc/gunicorn/security/advisories/GHSA-8fjx-3jrw-wvqg
Restart Required: Yes
Instructions:
1. Update Gunicorn to version 22.0.0 or later using pip: pip install --upgrade gunicorn>=22.0.0
2. Restart all Gunicorn processes
3. Verify the update with: gunicorn --version
🔧 Temporary Workarounds
WAF Rule Implementation
allConfigure Web Application Firewall to block requests with multiple or conflicting Transfer-Encoding headers
Reverse Proxy Sanitization
linuxPlace a reverse proxy (nginx, Apache) in front of Gunicorn to normalize and validate HTTP headers before they reach Gunicorn
# nginx example config to reject malformed headers
location / {
proxy_pass http://gunicorn_backend;
proxy_set_header Host $host;
# Additional header validation can be added here
}
🧯 If You Can't Patch
- Implement strict WAF rules to detect and block requests with multiple Transfer-Encoding headers
- Deploy a reverse proxy layer that sanitizes HTTP headers before they reach vulnerable Gunicorn instances
🔍 How to Verify
Check if Vulnerable:
Check Gunicorn version: gunicorn --version. If version is below 22.0.0, the system is vulnerable.Check Version:
gunicorn --versionVerify Fix Applied:
After updating, verify with: gunicorn --version. Should show 22.0.0 or higher. Test with a request containing conflicting Transfer-Encoding headers to ensure proper rejection.📡 Detection & Monitoring
Log Indicators:
- Multiple Transfer-Encoding headers in single request
- HTTP 400 errors for malformed requests after patch
- Unusual access patterns to restricted endpoints
Network Indicators:
- HTTP requests with 'Transfer-Encoding: chunked' and other encoding values
- Requests that bypass expected authentication flows
SIEM Query:
source="gunicorn_access.log" AND ("Transfer-Encoding" AND "chunked" AND NOT "HTTP/1.1 400")🔗 References
- https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
- https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
- https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
- https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html
