Update dependency gunicorn to v21

[mend-for-jackfan.us.kg]

This PR contains the following updates:

Package	Update	Change
gunicorn (changelog)	major	==20.1.0 -> ==21.0.0

By merging this PR, the issue #355 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	7.4	CVE-2024-1135
High	7.0	CVE-2024-6345

---

Release Notes

benoitc/gunicorn (gunicorn)

v21.0.0

Compare Source

---

• If you want to rebase/retry this PR, check this box

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
pypi/[email protected] ➜ 21.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+257	2.02 GB	benoitc, tilgovi

View full report↗︎

[semgrep-app]

Risk: Affected versions of gunicorn are vulnerable to Inconsistent Interpretation Of Http Requests ('Http Request/Response Smuggling'). The vulnerability in Gunicorn arises from its failure to properly validate Transfer-Encoding headers, potentially exposing it to HTTP Request Smuggling (HRS) attacks by mishandling requests with multiple Transfer-Encoding headers, leading to a CL-TE attack where both Content-Length and Transfer-Encoding headers confuse the server.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a gunicorn backend server in async mode

Fix: Upgrade this library to at least version 22.0.0 at vampi/requirements.txt:3.

Reference(s): GHSA-w3h3-4rj7-4ph4, CVE-2024-1135

_{Ignore this finding from ssc-0cfcd72f-a72f-48d0-9da1-71e9f3518e34}

[rafikmojr]

Checkmarx One – Scan Summary & Details – 1fbdd382-ab07-483e-9f99-230fd8b44b43

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-1135	Python-gunicorn-21.0.0	details Recommended version: 22.0.0 Description: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-34069	Python-Werkzeug-2.2.3	details Recommended version: 3.0.6 Description: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions prior to 3.0.3 of Werkzeug can allow an attacker to exe... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	CVE-2024-49767	Python-Werkzeug-2.2.3	details Recommended version: 3.0.6 Description: Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a ver... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-49766	Python-Werkzeug-2.2.3	details Recommended version: 3.0.6 Description: Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, "os.path.isabs()" does not catch UNC paths like "/... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

Fixed Issues (18)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Host Namespace is Shared	/docker-compose.yaml: 11
	Host Namespace is Shared	/docker-compose.yaml: 3
	Networks Not Set	/docker-compose.yaml: 3
	Networks Not Set	/docker-compose.yaml: 11
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/books.py: 22
	Trust_Boundary_Violation_in_Session_Variables	/api_views/users.py: 34