CVE-2019-16786

HIGH EPSS 83.0%
Published Dec 20, 20196y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Dec 20, 2019 6y ago
Last Modified Jun 17, 2026 2w ago

Description

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
83.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-444

Affected Products 6

VendorProductVersionRange
agendalesswaitress* <1.3.1
oraclecommunications_cloud_native_core_network_function_cloud_native_environment1.10.0any
debiandebian_linux9.0any
fedoraprojectfedora30any
fedoraprojectfedora31any
redhatopenstack15any

References 8

  • access.redhat.com https://access.redhat.com/errata/RHSA-2020:0720
    Third Party Advisory
  • docs.pylonsproject.org https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
    Release NotesVendor Advisory
  • github.com https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3
    PatchThird Party Advisory
  • github.com https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory