CVE-2020-5236 — Uncontrolled Resource Consumption in Waitress

CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

6.5MEDIUMNVD

CNA5.7

EPSS

13.9%

top 5.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pylons Waitress Agendaless Waitress

Timeline

PublishedFeb 4

Latest updateMay 4

Description

Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5pylons/waitress= 1.4.2

▶NVDagendaless/waitress1.4.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Catastrophic backtracking in regex allows Denial of Service in Waitress↗2020-02-04

▶

OSV

Catastrophic backtracking in regex allows Denial of Service in Waitress↗2020-02-04

▶

GHSA

Catastrophic backtracking in regex allows Denial of Service in Waitress↗2020-02-04

▶

OSV

CVE-2020-5236: Waitress version 1↗2020-02-04

▶

📋Vendor Advisories

Red Hat

waitress: header with invalid characters can lead to DoS↗2020-02-03

▶

Debian

CVE-2020-5236: waitress - Waitress version 1.4.2 allows a DOS attack When waitress receives a header that ...↗2020

▶

💬Community

Bugzilla

CVE-2020-5236 waitress: header with invalid characters can lead to DoS↗2020-05-04

▶