pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p11/ALT-PU-2024-15877/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

103 lines
4.0 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:202415877",
"Version": "oval:org.altlinux.errata:def:202415877",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2024-15877: package `python3-module-gunicorn` update to version 23.0.0-alt1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p11"
],
"Products": [
"ALT Container"
]
}
],
"References": [
{
"RefID": "ALT-PU-2024-15877",
"RefURL": "https://errata.altlinux.org/ALT-PU-2024-15877",
"Source": "ALTPU"
},
{
"RefID": "BDU:2024-03553",
"RefURL": "https://bdu.fstec.ru/vul/2024-03553",
"Source": "BDU"
},
{
"RefID": "CVE-2024-1135",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-1135",
"Source": "CVE"
}
],
"Description": "This update upgrades python3-module-gunicorn to version 23.0.0-alt1. \nSecurity Fix(es):\n\n * BDU:2024-03553: Уязвимость WSGI-сервера gunicorn, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю обойти существующие ограничения безопасности и выполнить атаку «контрабанда HTTP-запросов»\n\n * CVE-2024-1135: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.\n\n * #52085: Для закрытия CVE-2024-1135 необходимо обновить пакет",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2024-11-22"
},
"Updated": {
"Date": "2024-11-22"
},
"BDUs": [
{
"ID": "BDU:2024-03553",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2024-03553",
"Impact": "High",
"Public": "20231219"
}
],
"CVEs": [
{
"ID": "CVE-2024-1135",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-1135",
"Impact": "None",
"Public": "20240416"
}
],
"Bugzilla": [
{
"ID": "52085",
"Href": "https://bugzilla.altlinux.org/52085",
"Data": "Для закрытия CVE-2024-1135 необходимо обновить пакет"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:container:11"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:202415877001",
"Comment": "python3-module-gunicorn is earlier than 0:23.0.0-alt1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink