DEBIAN-CVE-2024-6827

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2024-6827
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-6827.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-6827
Upstream
Published
2025-03-20T10:15:33.357Z
Modified
2025-11-20T10:17:54.119121Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.

References

Affected packages

Debian:11 / gunicorn

Package

Name
gunicorn
Purl
pkg:deb/debian/gunicorn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.1.0-1
20.1.0-1+deb11u1
20.1.0-2
20.1.0-3
20.1.0-4
20.1.0-5
20.1.0-6

22.*

22.0.0-1

23.*

23.0.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-6827.json"

Debian:12 / gunicorn

Package

Name
gunicorn
Purl
pkg:deb/debian/gunicorn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.1.0-6
20.1.0-6+deb12u1

22.*

22.0.0-1

23.*

23.0.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-6827.json"

Debian:13 / gunicorn

Package

Name
gunicorn
Purl
pkg:deb/debian/gunicorn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
23.0.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-6827.json"

Debian:14 / gunicorn

Package

Name
gunicorn
Purl
pkg:deb/debian/gunicorn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
23.0.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-6827.json"