GHSA-j7j6-7hfx-5522

Source

https://github.com/advisories/GHSA-j7j6-7hfx-5522

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j7j6-7hfx-5522/GHSA-j7j6-7hfx-5522.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j7j6-7hfx-5522

Aliases

Published

2022-05-24T17:07:06Z

Modified

2023-11-08T04:01:21.890990Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Inconsistent Interpretation of HTTP Requests in Waitress

Details

Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.

References

Affected packages

PyPI / waitress

Package

Name: waitress; View open source insights on deps.dev
Purl: pkg:pypi/waitress

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.6.1

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11b0

0.9.0b0

0.9.0b1

0.9.0

1.*

1.0a1

1.0a2

1.0.0

1.0.1

1.0.2

1.1.0

1.2.0b1

1.2.0b2

1.2.0b3

1.2.0

1.2.1

1.3.0b0

1.3.0

1.3.1

Database specific

{
    "last_known_affected_version_range": "<= 1.3.1"
}