gunicorn@0.4.1 vulnerabilities

WSGI HTTP Server for UNIX

latest version

22.0.0
latest non vulnerable version

22.0.0
first published

14 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [0.1,0.7.0)
View gunicorn package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the gunicorn package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H HTTP Request Smuggling gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to HTTP Request Smuggling due to the improper validation of `Transfer-Encoding` headers. An attacker can bypass security restrictions and access restricted endpoints by crafting requests with conflicting `Transfer-Encoding` headers. Notes: This is only exploitable if users have a network path which does not filter out invalid requests; Users are advised to block access to restricted endpoints via a firewall or other mechanism until a fix can be developed. This issue arises from the application's incorrectly processing of requests with multiple, conflicting `Transfer-Encoding` headers, treating them as chunked regardless of the final encoding specified. How to fix HTTP Request Smuggling? Upgrade `gunicorn` to version 22.0.0 or higher.	[,22.0.0)
L Improper Input Validation gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to Improper Input Validation. Gunicorn fails with a 500, instead of a 400, when a request path is a malformed IPv6 address. This is due to no raise 'InvalidRequestLine' exception when the line contains malicious data. How to fix Improper Input Validation? Upgrade `gunicorn` to version 19.4.0 or higher.	[,19.4.0)
M HTTP Request Smuggling gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to HTTP Request Smuggling. It fails to properly process the `Transfer-Encoding` and `Content-Length` headers when both are present in a package request. This allows for conflicting information to be sent regarding the length of the package, which when processed by back-end servers under certain configurations would allow for malicious users to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. How to fix HTTP Request Smuggling? Upgrade `gunicorn` to version 19.10.0, 20.0.1 or higher.	[,19.10.0) [20.0.0,20.0.1)
H HTTP Response Splitting gunicorn is a WSGI HTTP Server for UNIX, fast clients and sleepy applications. Affected versions of this package are vulnerable to HTTP Response Splitting in the `process_headers` function. How to fix HTTP Response Splitting? Upgrade `gunicorn` to version 19.5.0 or higher.	[,19.5.0)

Go back to all versions of this package

gunicorn@0.4.1 vulnerabilities

WSGI HTTP Server for UNIX

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities