PyPi: Pheonix-Waitress

CVE-2020-5236

Safety vulnerability ID: 49022

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 04, 2020 Updated at Mar 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Pheonix-waitress 1.4.3 includes a fix for CVE-2020-5236: Catastrophic backtracking in regex allows Denial of Service.
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc

Affected package

pheonix-waitress

Latest version: 2.1.1.2

Pheonix fork of the Waitress WSGI server

Affected versions

Fixed versions

Vulnerability changelog

------------------

Security Fixes
~~~~~~~~~~~~~~

- In Waitress version 1.4.2 a new regular expression was added to validate the
headers that Waitress receives to make sure that it matches RFC7230.
Unfortunately the regular expression was written in a way that with invalid
input it leads to catastrophic backtracking which allows for a Denial of
Service and CPU usage going to a 100%.

This was reported by Fil Zembowicz to the Pylons Project. Please see
https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc
for more information.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.8

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): SINGLE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): COMPLETE