PYSEC-2019-136

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/waitress/PYSEC-2019-136.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2019-136
Aliases
Published
2019-12-20T23:15:00Z
Modified
2023-11-08T04:01:21.641524Z
Summary
[none]
Details

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF it can lead to the front-end and the back-end server parsing the same HTTP message in two different ways. This can lead to a potential for HTTP request smuggling/splitting whereby Waitress may see two requests while the front-end server only sees a single HTTP message. This issue is fixed in Waitress 1.4.0.

References

Affected packages

PyPI / waitress

Package

Affected ranges

Type
GIT
Repo
https://github.com/Pylons/waitress
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11b0
0.9.0b0
0.9.0b1
0.9.0

1.*

1.0a1
1.0a2
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0b1
1.2.0b2
1.2.0b3
1.2.0
1.2.1
1.3.0b0
1.3.0
1.3.1