Описание
HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)
Impact
The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data.
This updates the existing CVE with ID: CVE-2019-16789
Patches
Waitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace.
Workarounds
There are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended.
References
See https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 for more information on the security issue.
For more information
If you have any questions or comments about this advisory:
- open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)
- email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)
Ссылки
- https://github.com/Pylons/waitress/security/advisories/GHSA-968f-66r5-5v74
- https://nvd.nist.gov/vuln/detail/CVE-2019-16789
- https://github.com/github/advisory-review/pull/14604
- https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
- https://github.com/Pylons/waitress/commit/ddb65b489d01d696afa1695b75fdd5df3e4ffdf8
- https://access.redhat.com/errata/RHSA-2020:0720
- https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes
- https://github.com/advisories/GHSA-968f-66r5-5v74
- https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-138.yaml
- https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5
- https://www.oracle.com/security-alerts/cpuapr2022.html
Пакеты
waitress
< 1.4.2
1.4.2
Связанные уязвимости
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.
In Waitress through version 1.4.0, if a proxy server is used in front ...
Уязвимость WSGI сервера для python Waitress, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность