CVE-2019-16789

Advisory

Pheonix-waitress 1.4.2 includes a fix for CVE-2019-16789: In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------

Security Fixes
~~~~~~~~~~~~~~

- Waitress did not properly validate that the HTTP headers it received were
properly formed, thereby potentially allowing a front-end server to treat a
request different from Waitress. This could lead to HTTP request
smuggling/splitting.

Please see the security advisory for more information:
https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

CVE-ID: CVE-2019-16789

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16789
• https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
• https://github.com/github/advisory-review/pull/14604
• https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
• https://lists.fedoraproject.org/archives/list/[email protected]/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
• https://access.redhat.com/errata/RHSA-2020:0720
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html