Source: gunicorn X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for gunicorn. CVE-2024-6827[0]: | Gunicorn version 21.2.0 does not properly validate the value of the | 'Transfer-Encoding' header as specified in the RFC standards, which | leads to the default fallback method of 'Content-Length,' making it | vulnerable to TE.CL request smuggling. This vulnerability can lead | to cache poisoning, data exposure, session manipulation, SSRF, XSS, | DoS, data integrity compromise, security bypass, information | leakage, and business logic abuse. https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6827 https://www.cve.org/CVERecord?id=CVE-2024-6827 Please adjust the affected versions in the BTS as needed.
