HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)
Description
Published by the National Vulnerability Database
Dec 26, 2019
Reviewed
Jan 6, 2020
Published to the GitHub Advisory Database
Jan 6, 2020
Last updated
Nov 19, 2024
Impact
The patches introduced to fix GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data.
This updates the existing CVE with ID: CVE-2019-16789
Patches
Waitress version 1.4.2 has been updated to now validate HTTP headers better to avoid the issue, completely fixing all known issues with whitespace.
Workarounds
There are no work-arounds, upgrading to Waitress 1.4.2 is highly recommended.
References
See GHSA-m5ff-3wj3-8ph4 for more information on the security issue.
For more information
If you have any questions or comments about this advisory:
References