-
Notifications
You must be signed in to change notification settings - Fork 936
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in gevent.pywsgi.WSGIServer #1989
Comments
Thank you for your interest in gevent and your bug report. While |
gevent 23.9 has been released with tests and a fix for this. Thank you again for the report. |
@jamadden Hi. Sorry for my late response and thanks for your quick fix. Here's a request: |
I don't see why not; the release notes already include a summary. |
OK, thanks. |
* fix: update gevent dependency fixes gevent/gevent#1989
CVE-2023-41419 has been assigned to this issue. Fixed in 23.9.0.
Description
Previously, carefully crafted invalid trailers in chunked requests on keep-alive connections might appear as two requests to
gevent.pywsgi
. Because this was handled exactly as a normal keep-alive connection with two requests, the WSGI application should handle it normally. However, if you were counting on some upstream server to filter incoming requests based on paths or header fields, and the upstream server simply passed trailers through without validating them, then this embedded second request would bypass those checks. (If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.) (source - docs/changes/1989.bugfix)Payload
Credit
Fixed by @jamadden.
Reported by Keran Mu (@mukeran) and Jianjun Chen (@chenjj), from Tsinghua University and Zhongguancun Laboratory.
The text was updated successfully, but these errors were encountered: