cnvd - cnvd-2020-01160

cnvd-2020-01160

Vulnerability from cnvd

Title: Waitress环境问题漏洞

Description:

Waitress是一款用于Python的WSGI（Web服务器网关接口）服务器。

Waitress 1.4.0及之前版本中存在环境问题漏洞。该漏洞源于网络系统或产品的环境因素不合理。攻击者可利用该漏洞导致潜在的缓存中毒或意外的信息泄露。

Severity: 高

Patch Name: Waitress环境问题漏洞的补丁

Patch Description:

Waitress是一款用于Python的WSGI（Web服务器网关接口）服务器。

Waitress 1.4.0及之前版本中存在环境问题漏洞。该漏洞源于网络系统或产品的环境因素不合理。攻击者可利用该漏洞导致潜在的缓存中毒或意外的信息泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布相关漏洞补丁修复链接，请及时更新： https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017

Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-16789

Impacted products

Name
Waitress Waitress <=1.4.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-16789"
    }
  },
  "description": "Waitress\u662f\u4e00\u6b3e\u7528\u4e8ePython\u7684WSGI\uff08Web\u670d\u52a1\u5668\u7f51\u5173\u63a5\u53e3\uff09\u670d\u52a1\u5668\u3002\n\nWaitress 1.4.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u73af\u5883\u56e0\u7d20\u4e0d\u5408\u7406\u3002 \u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6f5c\u5728\u7684\u7f13\u5b58\u4e2d\u6bd2\u6216\u610f\u5916\u7684\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u76f8\u5173\u6f0f\u6d1e\u8865\u4e01\u4fee\u590d\u94fe\u63a5\uff0c\u8bf7\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-01160",
  "openTime": "2020-01-08",
  "patchDescription": "Waitress\u662f\u4e00\u6b3e\u7528\u4e8ePython\u7684WSGI\uff08Web\u670d\u52a1\u5668\u7f51\u5173\u63a5\u53e3\uff09\u670d\u52a1\u5668\u3002\r\n\r\nWaitress 1.4.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u73af\u5883\u56e0\u7d20\u4e0d\u5408\u7406\u3002 \u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6f5c\u5728\u7684\u7f13\u5b58\u4e2d\u6bd2\u6216\u610f\u5916\u7684\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Waitress\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Waitress Waitress \u003c=1.4.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-16789",
  "serverity": "\u9ad8",
  "submitTime": "2019-12-27",
  "title": "Waitress\u73af\u5883\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-16789 (GCVE-0-2019-16789)

Vulnerability from cvelistv5

Published

2019-12-26 16:40

Modified

2024-08-05 01:24

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Summary

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.

References

▼	URL	Tags
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/	vendor-advisory, x_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2020:0720	vendor-advisory, x_refsource_REDHAT
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes	x_refsource_MISC
	https://github.com/github/advisory-review/pull/14604	x_refsource_CONFIRM
	https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Pylons	Waitress	Version: < 1.4.1 < 1.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:24:48.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2020-bdcc8ffc24",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"
          },
          {
            "name": "FEDORA-2020-65a7744e38",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"
          },
          {
            "name": "RHSA-2020:0720",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0720"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/github/advisory-review/pull/14604"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"
          },
          {
            "name": "[debian-lts-announce] 20220512 [SECURITY] [DLA 3000-1] waitress security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Waitress",
          "vendor": "Pylons",
          "versions": [
            {
              "lessThan": "1.4.1",
              "status": "affected",
              "version": "\u003c 1.4.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-12T23:06:09",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "FEDORA-2020-bdcc8ffc24",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"
        },
        {
          "name": "FEDORA-2020-65a7744e38",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"
        },
        {
          "name": "RHSA-2020:0720",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0720"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/github/advisory-review/pull/14604"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"
        },
        {
          "name": "[debian-lts-announce] 20220512 [SECURITY] [DLA 3000-1] waitress security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
        }
      ],
      "source": {
        "advisory": "GHSA-m5ff-3wj3-8ph4",
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers",
      "workarounds": [
        {
          "lang": "en",
          "value": "You may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.\n\nWaitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues."
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2019-16789",
          "STATE": "PUBLIC",
          "TITLE": "HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Waitress",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "\u003c 1.4.1",
                            "version_value": "1.4.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Pylons"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2020-bdcc8ffc24",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/"
            },
            {
              "name": "FEDORA-2020-65a7744e38",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/"
            },
            {
              "name": "RHSA-2020:0720",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0720"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes",
              "refsource": "MISC",
              "url": "https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"
            },
            {
              "name": "https://github.com/github/advisory-review/pull/14604",
              "refsource": "CONFIRM",
              "url": "https://github.com/github/advisory-review/pull/14604"
            },
            {
              "name": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017",
              "refsource": "MISC",
              "url": "https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017"
            },
            {
              "name": "[debian-lts-announce] 20220512 [SECURITY] [DLA 3000-1] waitress security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-m5ff-3wj3-8ph4",
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "You may enable additional protections on front-end servers, those that follow RFC7230 correctly would drop the request with a 400 Bad Request.\n\nWaitress will now correctly responds to the request with a 400 Bad Request, and will drop the connection to avoid any potential HTTP pipelining issues."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2019-16789",
    "datePublished": "2019-12-26T16:40:12",
    "dateReserved": "2019-09-24T00:00:00",
    "dateUpdated": "2024-08-05T01:24:48.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted