The Gunicorn version in seldon-core is vulnerable to request smuggling #5523
Labels
Comments
|
Hi @justinrmiller -- Thanks for flagging this and for opening up the PR. I will evaluate this and most-likely add this change to an adjacent PR that targets another CVE as it is only a dependency upgrade. I am looking at getting this merged in a week or so. |
|
Thanks @ramonpzg , let me know if I can help in any way. |
|
Hi @ramonpzg , any updates on this front? As part of SOC2 we ensure our Docker builds are free of vulnerabilities (CVEs) above a certain threshold and this is may eventually cause us to block a release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
From CVE-2024-1135:
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints.Please see the following advisory for more details:
GHSA-w3h3-4rj7-4ph4
Bumping the version should be sufficient to remediate the vulnerability, as outlined in this bullet point in the security policy:
I went ahead and cut this PR to try to address this and another vulnerability in the cryptography library:
https://github.com/SeldonIO/seldon-core/pull/5524/files
To reproduce
N/A
Expected behaviour
seldon-core is not vulnerable to the CVE
Environment
All environments.
Model Details
N/A
The text was updated successfully, but these errors were encountered: