CVE-2019-16785

HTTP Request Smuggling: LF vs CRLF handling in Waitress

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.

Waitress versión hasta 1.3.1, implementó una parte "MAY" del RFC7230 que declara: "Aunque el terminador de línea para los campos de línea de inicio y encabezado es la secuencia CRLF, un receptor PUEDE reconocer un LF único como un terminador de línea e ignorar cualquier CR anterior". Desafortunadamente, si un servidor front-end no analiza los campos de encabezado con un LF de igual forma que los que tienen un CRLF, puede conllevar a que el servidor front-end y el back-end analice el mismo mensaje HTTP de dos maneras diferentes. Esto puede conllevar a un posible tráfico no autorizado y una división de peticiones HTTP, por lo que Waitress puede visualizar dos peticiones mientras que el servidor front-end solo visualiza un solo mensaje HTTP. Este problema fue corregido en Waitress versión 1.4.0.

An HTTP-request vulnerability was discovered in Waitress which implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately, if a front-end server does not process header fields with an LF the same way as it processes those with a CRLF, it can lead to the front-end and the back-end server processing the same HTTP message in two different ways. This vulnerability can lead to a potential for HTTP request smuggling and splitting where Waitress may see two requests, while the front-end server only sees a single HTTP message.

Quay 3.4.0 release. Issues addressed include HTTP request smuggling, buffer overflow, information leakage, integer overflow, out of bounds read, and out of bounds write vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-24 CVE Reserved
2019-12-20 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (10)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html	Mailing List

URL	Date	SRC
https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p	2024-08-05

URL	Date	SRC
https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2020:0720	2023-11-07
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-16785	2021-02-04
https://bugzilla.redhat.com/show_bug.cgi?id=1791420	2021-02-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Agendaless Search vendor "Agendaless"		Waitress Search vendor "Agendaless" for product "Waitress"				<= 1.3.1 Search vendor "Agendaless" for product "Waitress" and version " <= 1.3.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				15 Search vendor "Redhat" for product "Openstack" and version "15"		-		Affected