CVE-2019-16786

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.

Published: Dec 21, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-16786
GHSA: GHSA-g2xc-35jw-c63p
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
agendaless / waitress	-	1.3.1
oracle / communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	1.10.0.x
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
redhat / openstack	15	15.x
waitress	-	1.4.0

Vulnerability Database

CVE-2019-16786

Deep Security Visibility Without the Complexity