Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16789

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.

Published

2019-12-26T17:15:13.707

Last Modified

2024-11-21T04:31:11.543

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-444
Type: Primary
CWE-444

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	agendaless	waitress	≤ 1.4.0	Yes
Application	oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Application	redhat	openstack	15	Yes

References

https://access.redhat.com/errata/RHSA-2020:0720 Third Party Advisory ([email protected])
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes Release Notes, Vendor Advisory ([email protected])
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 Patch, Third Party Advisory ([email protected])
https://github.com/github/advisory-review/pull/14604 Broken Link, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/ ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0720 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/github/advisory-review/pull/14604 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)