Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bump gunicorn from 21.2.0 to 22.0.0 (#108)
This commit will bump gunicorn from 21.2.0 to 22.0.0. Gunicorn 22.0.0 resolves a high-severity security vulnerability (CVE-2024-1135, GHSA-w3h3-4rj7-4ph4): > Gunicorn fails to properly validate Transfer-Encoding headers, leading > to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests > with conflicting Transfer-Encoding headers, attackers can bypass > security restrictions and access restricted endpoints. This issue is > due to Gunicorn's handling of Transfer-Encoding headers, where it > incorrectly processes requests with multiple, conflicting > Transfer-Encoding headers, treating them as chunked regardless of the > final encoding specified. This vulnerability has been shown to allow > access to endpoints restricted by gunicorn. This issue has been > addressed in version 22.0.0. > > To be affected users must have a network path which does not filter > out invalid requests. These users are advised to block access to > restricted endpoints via a firewall or other mechanism if they are > unable to update. https://docs.gunicorn.org/en/stable/news.html https://github.com/benoitc/gunicorn/releases GHSA-w3h3-4rj7-4ph4 https://nvd.nist.gov/vuln/detail/CVE-2024-1135 --- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information