CVE-2024-1135
Buffer Overflow vulnerability in gunicorn (PyPI)
What is CVE-2024-1135 About?
This vulnerability is a Buffer Overflow in Eclipse Jetty versions 9.4.0 to 9.4.56, occurring when a buffer is incorrectly released during a gzip error while inflating a request body. This can lead to corrupted data or inadvertent sharing of data between requests. Exploitation appears to be moderately difficult, relying on specific error conditions during gzip processing.
Affected Software
Technical Details
The vulnerability arises in Eclipse Jetty during the processing of gzip-compressed request bodies. When a gzip error occurs, the internal buffer responsible for handling the inflated data is improperly released. This incorrect release can result in the memory region associated with the buffer being left in an inconsistent state or prematurely made available for other operations. Consequently, subsequent requests might access this corrupted or partially released buffer, leading to data corruption or the unintended exposure of data from one request to another. The attack vector specifically targets the error handling mechanism within the gzip decompression routine in Jetty's request processing.
What is the Impact of CVE-2024-1135?
Successful exploitation may allow attackers to cause data corruption, leading to system instability or incorrect application behavior. It may also lead to the inadvertent exposure of sensitive data between different client requests, compromising data confidentiality and integrity.
What is the Exploitability of CVE-2024-1135?
Exploitation of this vulnerability would likely be complex, requiring an attacker to craft a request with a malformed or error-inducing gzip-compressed body. There are no inherent authentication or privilege requirements to trigger the vulnerability, as it affects how the server processes incoming requests. Access would be remote, as it involves sending specific HTTP requests to the Jetty server. The likelihood of exploitation is increased if the application frequently handles gzip-compressed request bodies and if internal error handling for such scenarios is not robust.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-1135?
About the Fix from Resolved Security
The patch adds strict validation for requests with both Transfer-Encoding and Content-Length headers, rejecting ambiguous or unsupported combinations that could enable HTTP request smuggling. This mitigates CVE-2024-1135 by preventing attackers from exploiting discrepancies in message framing, ensuring Gunicorn consistently handles and rejects dangerous or non-standard HTTP request structures unless a newly added, opt-in compatibility flag is explicitly set.
Available Upgrade Options
- gunicorn
- <22.0.0 → Upgrade to 22.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
- https://osv.dev/vulnerability/GHSA-w3h3-4rj7-4ph4
- https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html
- https://github.com/benoitc/gunicorn/pull/3113
- https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
- https://github.com/benoitc/gunicorn/releases/tag/22.0.0
- https://github.com/benoitc/gunicorn
- https://nvd.nist.gov/vuln/detail/CVE-2024-1135
- https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
What are Similar Vulnerabilities to CVE-2024-1135?
Similar Vulnerabilities: CVE-2023-4908 , CVE-2023-38545 , CVE-2023-34035 , CVE-2023-28432 , CVE-2022-26135
