[Snyk: High] gevent (Due 10/20/23)

Question

[Snyk: High] gevent (Due 10/20/23)

fec-jli opened this issue a year ago · 0 comments

gevent Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
https://app.snyk.io/org/fecgov/project/5e01de94-91bc-43d8-90b1-8843384b4b26#issue-SNYK-PYTHON-GEVENT-5906371
Introduced through
gevent@22.10.2
Fixed in
gevent@23.9.0
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths and remediation
Introduced through: project@0.0.0 › gevent@22.10.2
Fix: Upgrade gevent to version 23.9.0
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.5 - High Severity

NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') when the gevent.pywsgi function is used. An attacker can craft invalid trailers in chunked requests on keep-alive connections that might appear as two requests to gevent.pywsgi. This could potentially bypass checks if an upstream server is filtering incoming requests based on paths or header fields and simply passing trailers through without validating them.

Note: If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.

Completion Criteria:
[ ] Fix: Upgrade gevent to version 23.9.0