HTTP Request Smuggling: Content-Length Sent Twice in Waitress
CVE-2019-16792

7.1HIGH

Key Information:

Vendor

Pylons

Status
Waitress
Vendor
CVE Published:
22 January 2020

What is CVE-2019-16792?

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.

Affected Version(s)

Waitress <= 1.3.1 <= 1.3.1

References

https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://docs.pylonsproject.org/projects/waitress/en/lates...
x_refsource_MISC
https://github.com/Pylons/waitress/security/advisories/GH...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.