Forum: >>> Magnum BBS <<<

Bug#1100989: gunicorn: CVE-2024-6827

From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Mar 21 14:30:01 2025

Source: gunicorn
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for gunicorn.

CVE-2024-6827[0]:
| Gunicorn version 21.2.0 does not properly validate the value of the
| 'Transfer-Encoding' header as specified in the RFC standards, which
| leads to the default fallback method of 'Content-Length,' making it
| vulnerable to TE.CL request smuggling. This vulnerability can lead
| to cache poisoning, data exposure, session manipulation, SSRF, XSS,
| DoS, data integrity compromise, security bypass, information
| leakage, and business logic abuse.

https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6827
https://www.cve.org/CVERecord?id=CVE-2024-6827

Please adjust the affected versions in the BTS as needed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	491
Nodes:	16 (2 / 14)
Uptime:	86:03:05
Calls:	9,679
Files:	13,722
Messages:	6,173,649