{"containers": {"cna": {"affected": [{"product": "Waitress", "vendor": "Pylons", "versions": [{"lessThan": "1.4.1", "status": "affected", "version": "< 1.4.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-12T23:06:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"name": "FEDORA-2020-bdcc8ffc24", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"}, {"name": "FEDORA-2020-65a7744e38", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}, {"name": "RHSA-2020:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0720"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/github/advisory-review/pull/14604"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"}, {"name": "[debian-lts-announce] 20220512 [SECURITY] [DLA 3000-1] waitress security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"}], "source": {"advisory": "GHSA-m5ff-3wj3-8ph4", "discovery": "UNKNOWN"}, "title": "HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers", "workarounds": [{"lang": "en", "value": "You may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.\n\nWaitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16789", "STATE": "PUBLIC", "TITLE": "HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Waitress", "version": {"version_data": [{"version_affected": "<", "version_name": "< 1.4.1", "version_value": "1.4.1"}]}}]}, "vendor_name": "Pylons"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2020-bdcc8ffc24", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"}, {"name": "FEDORA-2020-65a7744e38", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}, {"name": "RHSA-2020:0720", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0720"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes", "refsource": "MISC", "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"}, {"name": "https://github.com/github/advisory-review/pull/14604", "refsource": "CONFIRM", "url": "https://github.com/github/advisory-review/pull/14604"}, {"name": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017", "refsource": "MISC", "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"}, {"name": "[debian-lts-announce] 20220512 [SECURITY] [DLA 3000-1] waitress security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"}]}, "source": {"advisory": "GHSA-m5ff-3wj3-8ph4", "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "You may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.\n\nWaitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues."}]}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16789", "datePublished": "2019-12-26T16:40:12", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2022-05-12T23:06:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:agendaless:waitress:*:*:*:*:*:*:*:*", "matchCriteriaId": "A774428E-3DBB-49C8-A1E9-BAD2704F98DF", "versionEndIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2A5B24D-BDF2-423C-98EA-A40778C01A05", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*", "matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation."}, {"lang": "es", "value": "En Waitress versiones hasta 1.4.0, si un servidor proxy es usado frente a waitress, un atacante puede enviar una petici\u00f3n no comprobada que omita el front-end y que waitress analiza de manera diferente conllevando a un posible trafico no autorizado de peticiones HTTP. Waitress analizar\u00eda las peticiones especialmente dise\u00f1adas que contienen caracteres de espacio en blanco especiales en el encabezado Transfer-Encoding como si fuera una petici\u00f3n fragmentada, pero un servidor front-end usar\u00eda Content-Length en su lugar ya que el encabezado Transfer-Encoding es considerado no v\u00e1lido debido a que contiene caracteres no v\u00e1lidos. Si un servidor de aplicaciones para usuario establece una canalizaci\u00f3n HTTP hacia un servidor backend de Waitress, esto podr\u00eda conllevar a una divisi\u00f3n de la petici\u00f3n HTTP, lo que podr\u00eda generar un posible envenenamiento de la cach\u00e9 o una divulgaci\u00f3n inesperada de informaci\u00f3n. Este problema se soluciona en Waitress versi\u00f3n 1.4.1 por medio de una comprobaci\u00f3n del campo HTTP m\u00e1s estricta."}], "id": "CVE-2019-16789", "lastModified": "2023-11-07T03:05:44.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-12-26T17:15:13.707", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0720"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"}, {"source": "security-advisories@github.com", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/github/advisory-review/pull/14604"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}