CVE-2024-1135: 
Gunicorn vulnerability analysis and mitigation

CVE-2024-1135 affects Gunicorn, an event-based HTTP/WSGI server, where it fails to properly validate Transfer-Encoding headers. The vulnerability was discovered in December 2023 and publicly disclosed in April 2024. The issue affects Gunicorn version 21.2.0 and earlier versions, particularly impacting installations using gevent or gthread worker classes (Huntr Report).

The vulnerability stems from Gunicorn's improper validation of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers. The server treats these requests as chunked regardless of the final encoding specified, which violates RFC 9110. The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (High) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue is specifically identified as CWE-444: Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) (NVD, Huntr Report).

The vulnerability enables HTTP Request Smuggling (HRS) attacks that can lead to multiple security issues including cache poisoning, session manipulation, data exposure, security bypass, and potential access to restricted endpoints. The vulnerability specifically affects installations using gevent or gthread worker classes, while the default sync worker class is not vulnerable due to its connection handling characteristics (Huntr Report).

The vulnerability has been fixed in Gunicorn's master branch through commit ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d. For Debian 10 (buster), the fix has been implemented in version 19.9.0-1+deb10u1. Users are recommended to upgrade their Gunicorn installations to the patched versions. Additionally, using the default sync worker class instead of gevent or gthread workers can prevent exploitation (Debian Advisory, Huntr Report).