GHSA-968f-66r5-5v74

Suggest an improvement
Source
https://github.com/advisories/GHSA-968f-66r5-5v74
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-968f-66r5-5v74/GHSA-968f-66r5-5v74.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-968f-66r5-5v74
Aliases
Published
2020-01-06T18:44:21Z
Modified
2024-02-21T05:28:27.750674Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
Summary
HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)
Details

Impact

The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data.

This updates the existing CVE with ID: CVE-2019-16789

Patches

Waitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace.

Workarounds

There are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended.

References

See https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 for more information on the security issue.

For more information

If you have any questions or comments about this advisory:

  • open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)
  • email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)
References

Affected packages

PyPI / waitress

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.2

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11b0
0.9.0b0
0.9.0b1
0.9.0

1.*

1.0a1
1.0a2
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0b1
1.2.0b2
1.2.0b3
1.2.0
1.2.1
1.3.0b0
1.3.0
1.3.1
1.4.0
1.4.1

Ecosystem specific

{
    "affected_functions": [
        "waitress.parser.HTTPRequestParser.parse_header"
    ]
}