CVE-2019-16789
HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers
Severity Score
Exploit Likelihood
Affected Versions
6Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.
En Waitress versiones hasta 1.4.0, si un servidor proxy es usado frente a waitress, un atacante puede enviar una petición no comprobada que omita el front-end y que waitress analiza de manera diferente conllevando a un posible trafico no autorizado de peticiones HTTP. Waitress analizaría las peticiones especialmente diseñadas que contienen caracteres de espacio en blanco especiales en el encabezado Transfer-Encoding como si fuera una petición fragmentada, pero un servidor front-end usaría Content-Length en su lugar ya que el encabezado Transfer-Encoding es considerado no válido debido a que contiene caracteres no válidos. Si un servidor de aplicaciones para usuario establece una canalización HTTP hacia un servidor backend de Waitress, esto podría conllevar a una división de la petición HTTP, lo que podría generar un posible envenenamiento de la caché o una divulgación inesperada de información. Este problema se soluciona en Waitress versión 1.4.1 por medio de una comprobación del campo HTTP más estricta.
An HTTP-interpretation flaw was found in waitress, through version 1.4.0. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server, an HTTP request splitting could occur which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. The highest threat from this vulnerability is data integrity.
Quay 3.4.0 release. Issues addressed include HTTP request smuggling, buffer overflow, information leakage, integer overflow, out of bounds read, and out of bounds write vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-09-24 CVE Reserved
- 2019-12-26 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://github.com/github/advisory-review/pull/14604 | Broken Link | |
| https://lists.debian.org/debian-lts-announce/2022/0... | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13... | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 |