CVE-2019-16792

Description

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.

How to fix CVE-2019-16792

To remediate CVE-2019-16792, upgrade the affected package to a fixed version below.

• —upgrade to 1.4.1-1 or later
• —upgrade to 1.4.0 or later
• —upgrade to 1.4.0 or later
• —upgrade to 575994cd42e83fd772a5f7ec98b2c56751bd3f65 or later

Is CVE-2019-16792 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 1.4.1-1
• from 0, < 1.4.0
• from 0, < 1.4.0
• from 0, < 575994cd42e83fd772a5f7ec98b2c56751bd3f65 | from 0, < 1.4.0

CVSS scores

References (10)

• ADVISORYgithub.com/advisories/GHSA-j7j6-7hfx-5522
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16792
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-16792
• PATCHgithub.com/Pylons/waitress
• WEB