CVE-2019-16786
published 2019-12-20CVE-2019-16786: Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall…
high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agendaless | waitress | < 1.3.1 | 1.3.1 |
| debian | debian_linux | — | — |
| debian | waitress | < waitress 1.4.1-1 (bookworm) | waitress 1.4.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | — | — |
| pylons | waitress | <= 1.3.1 | — |
| pylons | waitress | >= 0 < 1.4.1-1 | 1.4.1-1 |
| pylons | waitress | >= 0 < 1.4.1-1 | 1.4.1-1 |
| pylons | waitress | >= 0 < 1.4.1-1 | 1.4.1-1 |
| pylons | waitress | >= 0 < 1.4.1-1 | 1.4.1-1 |
| pylons | waitress | >= 0 < 1.4.0 | 1.4.0 |
| redhat | openstack | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH