Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in gevent.pywsgi.WSGIServer #1989

Closed
mukeran opened this issue Aug 31, 2023 · 5 comments · Fixed by CTFd/CTFd#2435
Closed

Vulnerability in gevent.pywsgi.WSGIServer #1989

mukeran opened this issue Aug 31, 2023 · 5 comments · Fixed by CTFd/CTFd#2435

Comments

@mukeran
Copy link

mukeran commented Aug 31, 2023
edited
Loading

  • gevent version: 23.7.0 (pypi)
  • Python version: 3.8.15
  • Operating System: Linux

CVE-2023-41419 has been assigned to this issue. Fixed in 23.9.0.

Description

Previously, carefully crafted invalid trailers in chunked requests on keep-alive connections might appear as two requests to gevent.pywsgi. Because this was handled exactly as a normal keep-alive connection with two requests, the WSGI application should handle it normally. However, if you were counting on some upstream server to filter incoming requests based on paths or header fields, and the upstream server simply passed trailers through without validating them, then this embedded second request would bypass those checks. (If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.) (source - docs/changes/1989.bugfix)

Payload

POST /path1 HTTP/1.1
Host: a.com
Transfer-Encoding: chunked
Connection: keep-alive

2
a2
0
Header: value
POST /path2?a=:123 HTTP/1.1
Host: a.com
Connection: close

Credit

Fixed by @jamadden.
Reported by Keran Mu (@mukeran) and Jianjun Chen (@chenjj), from Tsinghua University and Zhongguancun Laboratory.
@jamadden
Copy link
Member

jamadden commented Aug 31, 2023
edited
Loading

Thank you for your interest in gevent and your bug report. While gevent.pywsgi has never been advertised as an Internet-facing, production-ready implementation and users have been advised to use something that is, like gunicorn, or at the very least a secure reverse proxy, I will prioritize a fix for this issue.

@jamadden
Copy link
Member

jamadden commented Sep 1, 2023

gevent 23.9 has been released with tests and a fix for this. Thank you again for the report.

@mukeran
Copy link
Author

mukeran commented Sep 20, 2023

@jamadden Hi. Sorry for my late response and thanks for your quick fix. Here's a request:
According to MITRE's email, if I want to make the CVE public, I have to modify the description of this issue with the (negative) detail of this vulnerability.
Is it OK to replace my description with details of the vulnerability since the issue has been fixed?

@jamadden
Copy link
Member

I don't see why not; the release notes already include a summary.

@mukeran
Copy link
Author

mukeran commented Sep 22, 2023

OK, thanks.

@kenny-skaggs kenny-skaggs mentioned this issue Sep 29, 2023
Merged
RiRa12621 added a commit to RiRa12621/CTFd that referenced this issue Dec 8, 2023
@RiRa12621
fix: update gevent dependency
3f71e4f 
fixes gevent/gevent#1989
@RiRa12621 RiRa12621 mentioned this issue Dec 8, 2023
Merged
RiRa12621 added a commit to RiRa12621/CTFd that referenced this issue Dec 8, 2023
@RiRa12621
fix: update gevent dependency
e1cc1be 
fixes gevent/gevent#1989
ColdHeat pushed a commit to CTFd/CTFd that referenced this issue Dec 8, 2023
@RiRa12621
fix: update gevent dependency (#2435)
7758925 
* fix: update gevent dependency

fixes gevent/gevent#1989
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update gevent dependency RiRa12621/CTFd
2 participants
@jamadden @mukeran