HTTP Request Smuggling via Improper Transfer-Encoding Validation
Gunicorn version 21.2.0 is vulnerable to HTTP Request Smuggling due to improper validation of the 'Transfer-Encoding' header. This issue was identified and reported, but the fixed version is not specified.
Available publicly on Jul 25 2024
Remediation Steps
- Update Gunicorn to a version where this vulnerability is patched.
- Ensure that the 'Transfer-Encoding' header is strictly validated according to RFC standards.
- Implement additional security controls to detect and mitigate HTTP Request Smuggling attacks.
- Regularly review and update dependencies to include security patches.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.