CVE-2019-16789

HIGH7.1EPSS 0.88%

HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)

發布日:2020/1/6修改日:2024/11/19
也稱為:GHSA-968f-66r5-5v74DEBIAN-CVE-2019-16789PYSEC-2019-138

描述

### Impact The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data. This updates the existing CVE with ID: CVE-2019-16789 ### Patches Waitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace. ### Workarounds There are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended. ### References See https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 for more information on the security issue. ### For more information If you have any questions or comments about this advisory: * open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related) * email the Pylons Security mailing list: [email protected] (if security related)

受影響套件(4)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
osvCVSS 3.1HIGH7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N

參考連結(17)