CVE-2019-16792

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.

Database specific

{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "1.10.0"
                }
            ],
            "cpe": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD"
        }
    ]
}

References

Affected packages

Git / github.com/pylons/waitress

Affected ranges

Type

GIT

Repo

https://github.com/pylons/waitress

Events

Introduced

Last affected

05e965e02f9d73fa6db18a120da1bebcfe429ca2

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3.1"
        }
    ],
    "cpe": "cpe:2.3:a:agendaless:waitress:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD"
}

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.6.1

0.7

0.8

0.8.1

0.8.10

0.8.11b0

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.9.0b0

v0.*

v0.9.0

v0.9.0b1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0a1

v1.0a2

v1.1.0

v1.2.0

v1.2.0b1

v1.2.0b2

v1.2.0b3

v1.2.1

v1.3.0

v1.3.0b0

v1.3.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16792.json"