logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2019-16786 waitress

Package

Manager: pip
Name: waitress
Vulnerable Version: >=0 <1.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

EPSS: 0.00516 pctl0.65704

Details

HTTP Request Smuggling: Invalid Transfer-Encoding in Waitress ### Impact Waitress would parse the `Transfer-Encoding` header and only look for a single string value, if that value was not `chunked` it would fall through and use the `Content-Length` header instead. According to the HTTP standard `Transfer-Encoding` should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with `chunked`. Requests sent with: ``` Transfer-Encoding: gzip, chunked ``` Would incorrectly get ignored, and the request would use a `Content-Length` header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. ### Patches This issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies. Waitress will now return a 501 Not Implemented error if the `Transfer-Encoding` is not `chunked` or contains multiple elements. Waitress does not support any transfer codings such as `gzip` or `deflate`. The Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don&#39;t cause any changes in behavior. ### Workarounds Various reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn&#39;t use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method). ### Issues/more security issues: * open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related) * email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)

Metadata

Created: 2019-12-20T23:04:18Z
Modified: 2024-11-19T13:57:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-g2xc-35jw-c63p/GHSA-g2xc-35jw-c63p.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-g2xc-35jw-c63p
Finding: F110
Auto approve: 1