Описание
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.
An HTTP-interpretation flaw was found in waitress which did not properly validate incoming HTTP headers. When parsing the Transfer-Encoding header, waitress would look only for a single string value. According to the HTTP standard, Transfer-Encoding should be a comma-separated list, with the inner-most encoding first, followed by any further transfer codings, ending with 'chunked'. Because of this flaw, requests sent with: "Transfer-Encoding: gzip, chunked" would get ignored, and waitress would use the Content-Length header instead to determine the body size of the HTTP message. A remote attacker could exploit this flaw to force waitress to accept potentially bad HTTP requests or treat a single request as multiple requests in the case of HTTP pipelining.
Отчет
All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low. In Red Hat OpenStack Platform 13, because the flawed code is not used and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 3 | python-waitress | Affected | ||
| Red Hat Ceph Storage 4 | python-waitress | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-waitress | Will not fix | ||
| Red Hat OpenStack Platform 16 (Train) | python-waitress | Affected | ||
| Red Hat OpenStack Platform 15.0 (Stein) | python-waitress | Fixed | RHSA-2020:0720 | 05.03.2020 |
| Red Hat Quay 3 | quay/clair-rhel8 | Fixed | RHSA-2021:0420 | 04.02.2021 |
| Red Hat Quay 3 | quay/quay-bridge-operator-bundle | Fixed | RHSA-2021:0420 | 04.02.2021 |
| Red Hat Quay 3 | quay/quay-bridge-operator-rhel8 | Fixed | RHSA-2021:0420 | 04.02.2021 |
| Red Hat Quay 3 | quay/quay-builder-qemu-rhcos-rhel8 | Fixed | RHSA-2021:0420 | 04.02.2021 |
| Red Hat Quay 3 | quay/quay-builder-rhel8 | Fixed | RHSA-2021:0420 | 04.02.2021 |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining. This issue is fixed in Waitress 1.4.0.
Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...
HTTP Request Smuggling: Invalid Transfer-Encoding in Waitress
Уязвимость WSGI сервера для python Waitress, позволяющая нарушителю оказать воздействие на целостность данных
7.1 High
CVSS3