Vulnerability Details : CVE-2019-16792
Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.
Products affected by CVE-2019-16792
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:agendaless:waitress:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-16792
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-16792
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N |
1.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2019-16792
-
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2019-16792
-
https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6
HTTP Request Smuggling: Content-Length Sent Twice · Advisory · Pylons/waitress · GitHubThird Party Advisory
-
https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65
Upon receiving invalid Content-Length bail · Pylons/waitress@575994c · GitHubPatch
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
Waitress — waitress 1.4.2 documentationRelease Notes
-
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
[SECURITY] [DLA 3000-1] waitress security updateMailing List;Third Party Advisory
Jump to