Headline
CVE-2023-41419: Vulnerability in gevent.pywsgi.WSGIServer · Issue #1989 · gevent/gevent
An issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.
- gevent version: 23.7.0 (pypi)
- Python version: 3.8.15
- Operating System: Linux
CVE-2023-41419 has been assigned to this issue. Fixed in 23.9.0.
Description
Previously, carefully crafted invalid trailers in chunked requests on keep-alive connections might appear as two requests to gevent.pywsgi. Because this was handled exactly as a normal keep-alive connection with two requests, the WSGI application should handle it normally. However, if you were counting on some upstream server to filter incoming requests based on paths or header fields, and the upstream server simply passed trailers through without validating them, then this embedded second request would bypass those checks. (If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.) (source - docs/changes/1989.bugfix)
Payload
POST /path1 HTTP/1.1 Host: a.com Transfer-Encoding: chunked Connection: keep-alive
2 a2 0 Header: value POST /path2?a=:123 HTTP/1.1 Host: a.com Connection: close
Credit
Fixed by @jamadden.
Reported by Keran Mu (@mukeran) and Jianjun Chen (@chenjj), from Tsinghua University and Zhongguancun Laboratory.
Related news
Red Hat Security Advisory 2024-8105-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-8102-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-7785-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2024-7421-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2023-7438-01 - An update for python-gevent is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a privilege escalation vulnerability.
An issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.