• Bug#1100989: gunicorn: CVE-2024-6827

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Mar 21 14:30:01 2025
    Source: gunicorn
    X-Debbugs-CC: team@security.debian.org
    Severity: important
    Tags: security

    Hi,

    The following vulnerability was published for gunicorn.

    CVE-2024-6827[0]:
    | Gunicorn version 21.2.0 does not properly validate the value of the
    | 'Transfer-Encoding' header as specified in the RFC standards, which
    | leads to the default fallback method of 'Content-Length,' making it
    | vulnerable to TE.CL request smuggling. This vulnerability can lead
    | to cache poisoning, data exposure, session manipulation, SSRF, XSS,
    | DoS, data integrity compromise, security bypass, information
    | leakage, and business logic abuse.

    https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-6827
    https://www.cve.org/CVERecord?id=CVE-2024-6827

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)