seldon-core icon indicating copy to clipboard operation
seldon-core copied to clipboard

Published 20 hours ago verified publisher icon SeldonIO

The Gunicorn version in seldon-core is vulnerable to request smuggling

Open justinrmiller opened this issue 10 months ago • 4 comments

Describe the bug

From CVE-2024-1135: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints.

Please see the following advisory for more details: https://github.com/advisories/GHSA-w3h3-4rj7-4ph4

Bumping the version should be sufficient to remediate the vulnerability, as outlined in this bullet point in the security policy:

  • Address CVEs in project dependencies by upgrading versions where possible

I went ahead and cut this PR to try to address this and another vulnerability in the cryptography library: https://github.com/SeldonIO/seldon-core/pull/5524/files

To reproduce

N/A

Expected behaviour

seldon-core is not vulnerable to the CVE

Environment

All environments.

Model Details

N/A

justinrmiller avatar Apr 19 '24 11:04 justinrmiller

Hi @justinrmiller -- Thanks for flagging this and for opening up the PR. I will evaluate this and most-likely add this change to an adjacent PR that targets another CVE as it is only a dependency upgrade. I am looking at getting this merged in a week or so.

ramonpzg avatar Apr 22 '24 08:04 ramonpzg

Thanks @ramonpzg , let me know if I can help in any way.

justinrmiller avatar Apr 22 '24 16:04 justinrmiller

Hi @ramonpzg , any updates on this front? As part of SOC2 we ensure our Docker builds are free of vulnerabilities (CVEs) above a certain threshold and this is may eventually cause us to block a release.

justinrmiller avatar Apr 30 '24 21:04 justinrmiller

Any progress on this? @justinrmiller @ramonpzg Security issues not a joke :<

mg515 avatar Jun 10 '24 13:06 mg515