py-waitress: Multiple vulnerabilities (CVE-2019-16785, CVE-2019-16786, CVE-2019-16789)
CVE-2019-16785: HTTP request smuggling through LF vs CRLF handling
Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message.
Fixed In Version: py-waitress 1.4.0
References:
- https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p
- https://nvd.nist.gov/vuln/detail/CVE-2019-16785
Patch:
https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba
CVE-2019-16786: HTTP request smuggling through invalid Transfer-Encoding
Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with chunked. Requests sent with: "Transfer-Encoding: gzip, chunked" would incorrectly get ignored, and the request would use a Content-Length header instead to determine the body size of the HTTP message. This could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining.
Fixed In Version: py-waitress 1.4.0
References:
- https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p
- https://nvd.nist.gov/vuln/detail/CVE-2019-16786
Patch:
https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3
CVE-2019-16789: HTTP Request Smuggling through Invalid whitespace characters in headers
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. Affected Versions: py-waitress<1.4.0.
Fixed In Version: py-waitress 1.4.1
References:
- https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
- https://nvd.nist.gov/vuln/detail/CVE-2019-16789
Patch:
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017
Affected branches:
-
master (1dae7c4d) -
3.11-stable